SSL certs for free! (for XOJO Webs too)

Just for everyone to know. Valid SSL certs for free and basically they can be used in XOJO Web Projects too. Let’s encrypt makes this possible. The only one issue so far is that it’s valid for just 3 months. But it can be renewed automatically with the help of a cron job. Here’s a how-to document. I believe this is worth to be spread.

https://www.cyberciti.biz/faq/how-to-configure-nginx-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/

1 Like

https://certbot.eff.org will help you set it up on other server configurations too.

@Tim Parnell: Thank you for this link… indeed very comfortable.

And if you manage a vps with plesk (onyx, version 17), then you can add let’s encrypt as an extension and use it to secure all of your domains - including autoupdate.

Otherwise one can easily find detailed tutorials on how to install and auto-update let’s encrypt with apache, haproxy, etc. I am using it since quite some time. Very nice!

When talking about plain websites cloudflare.com might be an free alternative. They offer worldwide CDN services and free certs, too. So if your website is in the media or news, it won’t quit working due DDOS. But they need your DNS and I did not checked XOJO Webs.

I used this “how to” today on Ubuntu to replace a StartSSL cert with a new Let’s Encrypt cert: https://www.vultr.com/docs/setup-lets-encrypt-with-apache-on-ubuntu-16-04.

Normally with anything Linux I expect to have to do a bit of wrangling to make things work, but in this case the whole process was done and dusted in minutes and it auto-configured Apache to use the new cert for my main website and CGI Web app. Really extraordinarily slick!

I’m also using lets-encrypt with my standalone web-app, but I haven’t yet figured out a way to automatically update my .crt file (as described here: http://developer.xojo.com/standalone-ssl) every 3 months. Any pointers?

I swapped over from using Standalone SSL for my Web app to CGI for that very reason. I hadn’t used CGI before, but again, I was surprised at how not-too-painful the process was of getting it running. In my case I had Apache on my server already, so it was mainly a case of using the “a2enmod cgi” command to enable CGI use for Apache (I’m on Ubuntu), copying the Xojo bits and pieces to /usr/lib/cgi-bin/, and adjusting ownership and permissions using info I found at https://forum.xojo.com/16451-common-issues-resulting-in-internal-server-error.

Having said that, if you did want to stick with Standalone SSL, the private key and the other bits and pieces that make up the cert can be found in subdirectories of /etc/letsencrypt (on my system, anyway). The file extension is .pem, but they’re just plain text files, so you could probably create a shell script to concatenate them together into a .crt file. Then you could tweak the cron job that renews the cert every few months and get it to run the shell script immediately after the renewed cert is in place.

There’s a “letsencrypt-auto certonly” option, which obtains the certificate but doesn’t go on to configure Apache or whatever, so that might be the one to use if you wanted to go down that route.

this were exactly my thoughts on this. I’ll check this out in the next couple of days. Actually I am in favor of moving from CGI to Standalone again because some of my webapps are not stable. They just stop working without reason, not reproduceable.

I see that occasionally with my standalone too, so I installed a cronjob-watchdog.sh which relaunches the webapp if it is not running. See here for example: https://community.webfaction.com/questions/6157/watchdog-script-to-keep-process-running-with-cron

Thanks for all this great info! I’m going to try using the command line to generate our certs and share what I learn.

I made a Xojo Desktop App that automates the https://gethttpsforfree.com/ which html form that creates the certs, but doesn’t automatically do the challenge verification.

The following article was helpful to understand how to use certbot with and without a webserver: https://suchsecurity.com/

The next step would be to use the generated certs to create a Xojo crt file.

Does anyone know if the Xojo crt files can be swapped out while Xojo Standalone Apps are running? Do we have to quit the app and relaunch it to use the new cert?

@Maximilian Tyrtania - here is the start of a bash script I wrote to determine if my certificate needs renewal. I have cron run this every 12 hours.

[code]#!/bin/bash

CERT="/etc/ssl/cert.pem";

if [ -f “${CERT}” ]; then
EXPIRE_STRING=$(openssl x509 -in “${CERT}” -enddate -noout 2>/tmp/err | cut -d= -f2);
if [ -s /tmp/err ]; then
echo “Current cert is bad.”
rm -f “${CERT}”;
else
NOW=$(date +%s);
EXPIRES=$(date -d “${EXPIRE_STRING}” +%s);
REMAINING_SECONDS=$(expr ${EXPIRES} - ${NOW});
REMAINING_DAYS=$(expr ${REMAINING_SECONDS} / 86400);
SHOULD_RENEW=$((${REMAINING_DAYS} < 30));

            if [ ${SHOULD_RENEW} -eq 0 ]; then
                    echo "Not ready for renewal, ${REMAINING_DAYS} days remaining.";
                    exit;
            fi
    fi

fi

do your renewal work here, will exit if not ready for renewal[/code]

For the curious, the rest of the script uses acme_tiny.py to request the certificate, confirm it is valid, remove the old one, install the new one, and restart the services that depend on it. This is all because I use a web server not officially supported by Let’s Encrypt, as well as HPKP, so the default options wouldn’t work in my scenario.

Interesting, I got an IIS server cert from them at the start of November, I have just checked and its for 3 years!

Did they just change their policy? I cant find anything about it on there.

[quote=307703:@JulianS]Interesting, I got an IIS server cert from them at the start of November, I have just checked and its for 3 years!

Did they just change their policy? I cant find anything about it on there.[/quote]

Ahh I used https://www.startssl.com/ derp! Free for 3 years though, not bad.

Just secured XOJO Sample App on an Let’s Encrypt secured server: http://apps.jakobssystems.de
It’s pretty nifty. And I am recieving an A- at Mozilla Observatory but I need to dig a little deeper why my “X-Content-Type-Options” are not working.

Julian,

Were you able to get a StartSSL cert to work with Xojo Web App? I just tried and could not get it to work. :frowning:

Hal, I might recommend you switch to LetsEncrypt if you’ve got a StartSLL cert.
With all the hubub recently I’ve set my system to reject every StartSSL (StartCom) certificate.
I wouldn’t doubt that some sysadmins have too.

Hello @Tim Parnell,

Strange here in some of my Customers Companys it’s the other way araound there Let’s Encrypt is totaly blocked.

And Yes i use a StartSSL Cert - and No i won’t switch at this time!

There are many StartSSL Certs still out there and i dont think how Mozilla and Apple and even Goggle Handled this was wrong. Only Certs after 21st. October 2016 were not valid (blocked).

And no i can’t really switch because i have an Web-App that is an Java App (and the Java TrustStore is a pain in the a… - to automate correctly.)

And for Let’s Encrypt there are some Phising Sites out there unsing Let’s Encrypt and this is why some of my customers blocked Let’s Encrypt.

So maybe you should think about that.

I think it’s bad practice to punish the StartSSL Users because of some problems the CA had. I think 90% of the StartSSL Certs are correct.

Tim and Ren,

Thanks for the advice. I just got excited that StartSSL had three year certs. After reading about both, I think I’ll stay with Let’s Encrypt:

Ren, did StartSSL get that problem resolved with the major browsers? I tried to find info to see if they are now ok, but didn’t see anything.