help with SSL in standalone WEB app running on a windows box.

Hi Guys,
if I use the certificate found in the examples/web/ssl folder of XOJO my web app will run in SSL with no problems except it is self signed.

If I go to GOGETSSL and download one of the trial SSL certificates then the app is no longer HTTPS.

The only thing which looks different in the .crt file is
-----BEGIN RSA PRIVATE KEY-----


-----END RSA PRIVATE KEY-----

missing in the new file.

I tried 3 different types of certificates all with no luck

One even has 3 entries in the file but they are all the same.

-----BEGIN CERTIFICATE-----
MIIGYzCCBUugAw…
v09tnPBIMQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/C…
b7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCC…
pu/xO28QOG8=
-----END CERTIFICATE-----

Even though the contents of each part are different.

Windows 7
XOJO 2017r2.1
Stand alone
Self hosted

Can someone give advice , point me to a link or even tell me a certificate supplier that is plug and play for windows?

I have read that if you have Linux you do this or that and I have tried others all with no luck.

I am posting under WINDOWS even though it is a WEB stand alone application as the certificate problem seems to be specific to it being a windows machine

thanks
damon

Xojo needs a CRT that has the

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
and

-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
I think other server apps work with 2 files.

If you get a certificate you should get also the key. Just put that key in the .crt file just like Xojo’s example.

Note: This is from reading and not from experience. Hope this helps.

What Alberto said is correct. You must have one file that contains the certificate, intermediate certificates and private key if you set SSL at the application level. I remember reading an informative (must read) note from @Greg O’Lone somewhere on this topic, but i cannot locate it right now.

An alternative is to have SSL offloading at the level of the firewall. This is something that I did with my own. My firewall is PfSense and I use HAProxy as a reverse proxy. The SSL certificate is handled at the level of HAProxy on the firewall, and the app itself does not manage it. To the external world, my application is SSL (and in fact, you cannot reach it from the outside with http, ince I did not create redirection rules), while internally it is not. This is also going to make it easier to scale up and set up load balancing at some point in the future.

They need to be in the following order:
0. Certificate
0. Intermediates
0. Key

More details here:

http://developer.xojo.com/standalone-ssl

The docs say:

[quote]one after another in this order:

  1. Certificate
  2. CABundle
  3. Private Key[/quote]

Yup. Fixed.

Here ya go…

https://blog.xojo.com/2014/01/14/at-long-last-web-standalone-ssl/

HI Guys,

thanks for the links, I have been using them

here is the problem,
when you get the files they arrive named like this

AddTrust_External_CA_Root.crt
COMODO_RSA_Certification_Authority.crt
www_theedicloud_com_au.crt

The third one would logically be the certificate so I cut and paste the contents into a new file

-----BEGIN CERTIFICATE-----
MIIGYzCCBUugAwIBAgIRAOhVLaxz9ph792nIn0FnavUwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTgxMDE3MDAwMDAwWhcNMTkwMTE1MjM1OTU5WjBXMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxETAPBgNVBAsTCEZyZWUgU1NMMR8wHQYD
VQQDExZ3d3cudGhlZWRpY2xvdWQuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAy5OdThCst9Xfhd1vrKiEl0Ip6bTeQ5PJRO5jpRVkhkxxfJ9M
Pn/mnJK14R/Ao1etQr+RrmX/PX895USVPeeEq0B8Luwf0gulII8NzXbVc1Uv3w06
fSBx7279pdh5Gum4n3luZyvPzPbJcFXrTvutxRL9kONGYSeS7Clp/nJk+EI11BHj
qyoJyjWA/EPCi2vT3qw6OnuL7JUz4YXLsfNkGMC4tcdqRJ4mp5xj3S+aNXeet/KZ
6T+qlWL0L5t5nR3IMr5dm3oA6vToBc0LTtQKVDu4dQfOh/K38xYbuOYSBg6MB+xX
tQ45LGUaMCS74YBTq9BRpKIB3XLQurKofruRbQIDAQABo4IC7jCCAuowHwYDVR0j
BBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFNVjGbxxqON2Bffy
q1UhEeN6mjUzMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIH
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGF
BggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2Eu
Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAs
ghZ3d3cudGhlZWRpY2xvdWQuY29tLmF1ghJ0aGVlZGljbG91ZC5jb20uYXUwggED
BgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMA
xHuJeqj9ywAAAWaAQNbHAAAEAwBGMEQCIEGoj7esaM4bKbNVKRlocGSBypLt+uoR
qM+d7wJyssxdAiBDwWfXYQambQg+YAemlGKkLjM3jRKpY34jqYI7i60g3wB2AHR+
2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZoBA1qEAAAQDAEcwRQIh
ALnn8Ex8mIR5KSq+JiqJqjVFTvN/GLszB5a+u3pQn2mbAiAr4M72cNZGYLLgcrYH
SNGK3n0SeTiURDVKx8278KZ6tzANBgkqhkiG9w0BAQsFAAOCAQEAZHHr9MN1M3rj
7HqN78+1Y0oV6TCFZKikIOVTVRqMBFS/pJgWDktC7lkaDvheysOAJanyIPzQlJf0
LnwjasxnDNCZiwxsCWAFzmf6XoE5Q0jHeCMc/6Zs3lQjOBI8aJhhUZ/M4VLbIIzQ
sQnyR1ZtnbFyWWf9JHR209w7CEbKLHiRLmGrBKp++nREbdACnBbNCpZ8bjPAbB3J
FfAkPl5woZ10By9/6Sgm9qMbFGZ9PgEnQ7uWe1pEBWxclVv1DoVPRDTUBdObhsWV
8p5N5Ps0QzgN3MiGOaqHXMMU4rhbgpErKobG/7Td/6EsTKRcN2RQc0D0/KTeOs58
v09tnPBIMQ==
-----END CERTIFICATE-----

This is the actual contents if you want to try it yourself, it comes from GOGETSSL and you can get a free 3 month trial SSL certificate from COMODO

the second file has the letters RSA in it so you would think it is the RSA KEY, so I cut and paste its contents into the same new file

-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----

Once again the actual file contents.

I now change the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to -----BEGIN RSA PRIVATE KEY-----
and -----END RSA PRIVATE KEY----- for the above

I saved the file with the same name as my app but with a .crt extension.

It doesn’t work.

[i]Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.[/i]

the first file contains this information
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----

as you can see all 3 .crt files contain different information however non contain RSA PRIVATE KEY by default.

also in the manual it says
If you try to start with SSL but the certificate is not found or is not readable, the app will display an error and quit.

the app displays no error and runs quite happily for HTTP

i am using
“C:\Users\damon pillinger\Desktop\The EDI Cloud\the edi cloudsa5.exe” --secureport=4083

If I swap the final .crt file with the demo .crt in the XOJO examples/WEB/SSL the HTTPS works like a charm.

I have tried them all in different combinations but they all fail.

I have also tried the RAPIDSSL trial which only has two files but still nothing

Do the SSL certificates in someway relate to the website name or URL? I have looked in the example .crt using KeyStore and there is nothing in there which relates to the app name, but, just a thought, maybe self signed don’t have to relate to a specific URL?

Any ideas?

Thanks
damon

The Key file should show something like this:

-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----

You need the key to make it work (I guess, I don’t have a Xojo standalone webapp, I have cgi app). Yes my server has SSL from Letsencrypt.

Yes, the certificate is related to the domain. I tested my domain certificate on my local computer (created a .crt file from 2 files from the server). I was able to compile the sample app and connect to https but it say:
Your connection is not private
Attackers might be trying to steal your information from localhost (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID

If I select to proceed to localhost anyway I can see the demo app but I get a red Not Secure label (instead of the normal lock). I can see the certificate and the browser say that it is invalid (because it is issued by Let’s Encrypt for mydomainname and not localhost).

I guess that the key maybe is secured on your account and you have to go to a secure area to get the key. At least that’s what I saw with Godaddy when I posted this: https://forum.xojo.com/conversation/post/399854

Ok, so first of all you need to stop posting what you think are keys. Get yourself into the habit of treating them like house keys. If you give them away, anyone can come in and take your stuff and also impersonate you if they wanted.

Looking at that list, none of those files is a key. The first two are intermediates and the last is the public key.

I’m curious, when you signed up for this demo, did they have you run an app on your computer to create a Certificate Signing Request (CSR) or was it an online form?

they are only going to be for testing, I would get a real one once I know it works and how to do it.

but i think I am getting the hang of it after reading more.

ok got it to work I will post a detailed HOW TO under the WEB section.

thanks for all the help guys

I deploy my web apps behind IIS & let IIS do the SSL stuff. Have a look at https://youtu.be/3IoeURqN6Iw .