NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: Sibuya on November 01, 2018, 02:51:34 PM

Title: Let's Encrypt
Post by: Sibuya on November 01, 2018, 02:51:34 PM

Hi,

I'm using Clarion 8 + NT9.31 and got Let's Encrypt certificate with 3rd party software verified by DNS. I'm using dynamic DNS because this is a POC. Didn't touch in any dll or component from NT.

Browsers can access the secure server example based on Example 9 (Always TLS) and open https pages without complaint.

I have a customer that wants his Web site on Wix to send form data to this Clarion server and should be https using node module fetch on Wix side.

The problem is that fetch commando does not have access to Clarion server giving timeout of 14 seconds. Browsers pointing to dynamic DNS can access it.

I testes with all 4 test tools mentioned in NT documentation but Sophos cannot connect to server and times out, Htbridge's SSLScan says that server don't have SSL/TLS, SSLLab cannot connect to server. SSLScan.exe (very old) can identify the certificate and show it's informations.

Tried without any success disabling Firewall or changing  NT configurations.

Plesase, could any one give me directions?

Thank you.

Best regards,

Marcos Sibuya

Title: Re: Let's Encrypt
Post by: Bruce on November 01, 2018, 09:53:16 PM

what is the URL of your server?

cheers
Bruce

Title: Re: Let's Encrypt
Post by: Sibuya on November 05, 2018, 08:36:39 AM

Hi Bruce,

It's hosted in my machine pointed by dynamic dns.

I've made some more tests and still the same problem. Converting pem files that was generated by let's encrypt to .pfx .crt and .key with new version o Opensll and using original from NT9.31 was the exactly the same files. Tried to modify cypher like:

ThisSecureWebServer.SSLCertificateOptions.CiphersAllowed = 'ALL:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:!RC4:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXPORT'
ThisSecureWebServer.SSLMethod = NET:SSLMethod3TLS

but remains the same.

Let me know when I should bring up my server at https://wcons0.duckdns.org.

Thank you.

Best regards,

Marcos Sibuya

Title: Re: Let's Encrypt
Post by: Bruce on November 06, 2018, 10:57:11 PM

Hi Marcos,

If I PING wcons0.duckdns.org from here I get [189.18.53.50].
But there is no web server running at that address (on port 443)

So, like, the Wix site, I can't see your server from here. Is it at that IP address? Is it on port 443?
Have you tried accessing it from outside your network?

cheers
Bruce

Title: Re: Let's Encrypt
Post by: Sibuya on November 07, 2018, 10:40:27 AM

Hi Bruce,

Sorry, server os hosted in my machine and it was down. I just run server now. I'll try to keep up until tomorrow.

You could access with this same url. As I'm using Web9 example you could use http or https either will redirect to port 443. And IP is correct at the moment because is dynamic and is updated automatically.

I'm supposing that if I use wcons0.duckdns.org I'm accessing from outside. Any way, I've tried to access from Wix using their Javascript tools that works if I don't use https. To access from Wix using http I have to disable https from the hole site.

Thank you.

Best regards,

Marcos

Title: Re: Let's Encrypt
Post by: Bruce on November 07, 2018, 09:28:21 PM

hi Marcos,

alas it's off this morning when I tried again... I'll try again tomorrow.

cheers
Bruce

Title: Re: Let's Encrypt
Post by: Sibuya on November 07, 2018, 11:06:20 PM

Hi Bruce,

I've beem playing around with other ports and get confused... Sorry! I forgot that alfter DNS resolution and IP is local, router does not let get out and routes locally.

I was looking for more information on Internet and found that my ISP is blocking many ports including 80 and 443 just to force us to buy a more expensive plan....

Now changed server SSL port to 55155 and some SSL tools could reach and analyze it like comodo analyzer.

Back to Wix it says that it unabled to verify the first certificate.

Comodo analyzer, Shopper, Digicert says that the certificate is not trusted. But in my machine browsers don't complaint.

I donwloaded from Mozila the last roots.pem and replace CARoot.pem in application directory but remains the same.

Should I add manually chain.pem or fullchain.pem generated by Let's Encrypt to CARoot.pem in application directory or should I install intermediary root in Windows certificate store?

Wix also uses Let's Encrypt certificates to their customers SSL sites.

Thank you.

Best regards,

Marcos

Title: Re: Let's Encrypt
Post by: Sibuya on November 09, 2018, 01:14:25 PM

Hi Bruce,

Congratulations for NT11 lauch!

Finally worked!

I had some trouble with my routers and make Let's Encrypt work with dynamic IP.

Let's Encrypt manual generation produced .pem files and I converted to .crt/.key files using Openssl that have some catches. I had to remove some aditional information in .crt and include intermediate certificate manually and Bingo!

Now comodo, digicert and shopper ssl chekers runs without error or vulnerabilities.

Sorry to bother you.

Thank you very much.

Best regards,

Marcos