Launching web app with ssl

Grant_A · November 26, 2022, 8:22pm

Hi All

I seem to be unable to get my web app running with ssl.

I have created the app and placed in to a dir with the right permissions with the ssl certificate named the same as my app but with .crt as an extension.

I can double click the .crt file and it open with all the expected information.

When I start the app using a command line specifying the myapp.exe –secureport = 8801 it launches with no problems.

In the ide (2022r3.2) I have set the port to (for example) 8800 and the ssl port to 8801.

I have checked with a scanner and both for the http and the https ports are open.

I can go to my external ip via a device outside my network and access the app using port 8800 with no issues.

If I got to myip:8800 app is accessible.

If I go to myip:8801 browser times out

Unsure where to go for this and hoping someone can come up with some ideas to point me in the right direction.

Thanks in advance

brian_franco · November 26, 2022, 8:35pm

First question is where did you get the ssl cert? did you generate a self signed cert?
What OS are you running on?

Grant_A · November 26, 2022, 9:00pm

I have a certificate downloaded from my provider (ionos) for the domain i have
my OS f is windows 11

thanks

brian_franco · November 26, 2022, 9:35pm

Are you using IIS or Apache or NGINX?
I know I got this working on IIS but won’t be able to check until tomorrow

Wayne_Golding · November 26, 2022, 11:19pm

I would recommend offloading SSL handling to IIS by hosting your app reverse proxied.

Mark_Franzoi · November 27, 2022, 1:36am

Hi Wayne, are there any other reasons/advantages to setting up the IIS and reverse proxy, instead of just letting users access the web app directly, in an intranet environment. Thanks Mark

Grant_A · November 27, 2022, 8:14am

Hi All thanks for the replies, currently I’m set up as per the link below

SSL for web apps — Xojo documentation

I was considering using iis but to me the above seemed a simpler option … if I can get it to work !

MarkusR · November 27, 2022, 10:49am

did you use in browser?
https://127.0.0.1:8801/

at build settings you could add a build step to copy the .crt beside the exe always.

at windows you would use sc command to start/stop/register your exe as service.
at services you can choose for which user account this service runs.
you have to stop the service to replace the exe!

Grant_A · November 27, 2022, 12:15pm

did you use in browser?
https://127.0.0.1:8801/

===yep but same issue

at build settings you could add a build step to copy the .crt beside the exe always.
== yep done

at windows you would use sc command to start/stop/register your exe as service.
== I have been using a command line to launch
C:\pathtomy\myexe.exe --secureport =8201

at services you can choose for which user account this service runs.
you have to stop the service to replace the exe!

thanks

MarkusR · November 27, 2022, 4:03pm

at windows if you start a exe with network access first should pop up a firewall message window where
you can allow the network access.
if you suppress this warning messages, you can enable it or add the port/exe manually to firewall rules.

have you looked with netstat -a that the port is in listening state?

Tim_Parnell · November 27, 2022, 4:14pm

Is your certificate issued to 127.0.0.1? A public CA may not issue valid certs to localhost. (source1 source2)

I would wager the certificate you’ve downloaded from your provider is not for 127.0.0.1. In such a scenario your browser wouldn’t connect to the server because of the certificate mismatch.

You can find more information and workaround suggestions on this StackOverflow answer.

Grant_A · November 27, 2022, 5:49pm

thanks for the info, the more I learn the more it looks to be a certificate issue. I will continue to work at it but at least I know which way to face now.

thanks

brian_franco · November 27, 2022, 6:45pm

@Grant_A

Here is a video by @Wayne_Golding that might help on testing first before trying to launch public

https://www.youtube.com/watch?v=V8U1q1ddR_Y

Grant_A · November 27, 2022, 7:51pm

Hi

removed all previous rules and re checked them

checked netstat and both the ports i’ve set for http and https are shown as listening and the same result with an external port scanner.

thanks

Oliver_Osswald · November 28, 2022, 6:57am

The imho easiest way to get ssl secured xojo webapps up and running is by making use of Lifeboat, by Tim Parnell.

https://strawberrysw.com/lifeboat/

I have 2 linux vps running on Oracle Cloud (free) and Contabo (very good price-performance ratio), which are dedicated to Xojo webservices only.

I use lifeboat to install and update the webapps and to issue free Letsencrypt certificates. Just a few clicks.

Caveat: do not install lifeboat when you already manage your vps with Plesk or HestiaCP or the like, it will break it. We can install Webmin though (but not Virtualmin).

MarkusR · November 28, 2022, 10:14am

is there a invalid certificate i would expect a warning in browser.

Grant_A · November 28, 2022, 12:04pm

Still going on this!

first off, Ive been following the document … SSL for web apps — Xojo documentation

which states … “You cannot set the Secure Port in the Shared Build Settings, so you’ll need to use some command-line parameters to get it to work”

so while i set the ssl port option under the shared settings of the ide i was ignoring it and using the command line to set it as per the document.

However, I have now found out that if I add the command line it closes the ssl port, by removing the command line and setting the ide option the port opens correctly.

if i use my_external_ip: my_http_Port app runs fine

if I use my_external_ip: my_httpS_Port the page immediately comes up with “The connection was reset.” when just using the ide to set the ssl port

if I use my_external_ip: my_httpS_Port the page comes up with “took too long to respond.” when using the command line.

MarcusR – hope that answers your question

Oliver_Osswald – thanks for the sugestion but no using linux

brian_franco --thanks , I’ve also been exploring the use of iis but did not want to it this post to avoid any crossing threads.

Thanks all , I’m trying all suggestions as i’m able

MarkusR · November 28, 2022, 2:25pm

that is odd, so why is the option ssl port there at build properties?

if I use my_external_ip: my_httpS_Port

somehow it should be https://yourdomain:yoursslport
and from outside you allow access through this port via router your pc.

if you use local at the same pc https://127.0.0.1:yoursslport i expect a warning message but sll should be allowed

for my apps i used a port number starting from 1024

Grant_A · November 30, 2022, 10:48am

Hi All

Just to say thanks to you all for the help , all is now resolved as follows

Moved to using Digital Ocean to host but more importantly used Tim Parnell’s Lifeboat which was suggested by Oliver Oswald, in my initial response I though i’d need to know some linux but since trying (and purchasing) Lifeboat and with pointers from Tim have it all working fully and using ssl with no issues

many thanks again to you all