Hi folks,
I was wondering where do you buy your global ssl certificates to install on your indoor xojo web app ?
thanks.
I get my certificates for free from LetsEncrypt. I even built an app that helps you do that 
For TPLM-as-a-Service, I have a customer supporting extremely old systems, so I do have a purchased certificate on that domain. I got the certificate from my registrar, Dynadot. They offer single domain for $16.99 and wildcard domain for $80.
You can use my referral code for a $5 account credit if you like.
Follow this referral link to create a free account and use your $5 account credit towards your first purchase.
NOTE: The above link should include the referral code already, but if not, you can enter the following code when you create your account: 7fy7G9Q7D8Zx8e
1 Like
thanks Tim.
the xojo web app is on a mac, so I can’t use lifeboat …
on dynabot, they ask me for a CSR, how to get it on a mac with no web server but only a xojo web app on it ?
is it using openssl on a mac terminal ?
thanks.
Keychain app has a menu entry to create a CSR.
2 Likes
IF I finally succeed in getting a certificate from letsencrypt …,
where is the renewed certificate stored ? in the keychain ?
how can I renew it in the xojo app folder so that it’s always live and valid ?
That depends on how you got the certificate. If you used certbot, it should have told you where the certificate was stored. With a quick search it looks like /etc/letsencrypt/live/{domain} on Mac.
I found these instructions quickly searching for how to use certbot on Mac: MacOS & LetsEncrypt & Certbot - Tharakesh Pulikonda - Medium
If you used some other method, you’ll have to look into how that method stored the certificate.
Update: One method for renewal support with certbot is to use a symlink to point to the actual certificate so that you don’t have to move it, and then to renew it using certbot renew. If you’re placing the certificate next to the Xojo Web app there is more to it, but I don’t have those steps because I use nginx to handle SSL. Anthony had documentation on that process + certbot some time ago, but I haven’t been able to find it in Google.
2 Likes
Use LetsEncrypt as @Tim_Parnell said. Here’s a guide for getting SSL working on Xojo Web apps that aren’t behind Apache or nginx using an LE certificate for Linux. The steps for doing it on macOS are largely the same. Install certbot, generate the certificate, cat the files to the app directory with the correct name, setup automatic renewal.
2 Likes
Thanks Anthony !
do I have to quit and relaunch the xojo web app at each certificate renewal ?
Yes, otherwise the app will not serve the updated certificate. I setup my renewal commands to stop the service, attempt to renew and update the certificate, then restart the service each month at off-peak times. LE will only let you renew something like 30 days in advance.
1 Like
and if I buy a paid certificate, it will be valid for one year, so only have to quit the xojo app once a year ?
Sounds about right. Whatever the renewal period is. I haven’t gone that route, so I can’t offer much there, but I’d rather have a free certificate with periodic automated downtime of a few seconds if running standalone.
1 Like
when certbot asks me for the domain name,
should I answer “mydomain.com”, or “sales.mydomain.com” ?
as I like to call my xojo web app using https://sales.mydomain.com
thanks.
There’s much more involvement for wildcard certs with LE (if I remember correctly). Use the specific subdomain.domain.com for your app.
1 Like
Not if you put a front-end load balancer such as nginx or haproxy in front of the web app. Then you can let it perform the SSL termination and your app just gets it forwarded to you without SSL/TLS. You can then also use forwarding rules to allow the request to come in on whatever port (including 443) and forward to your app on whatever port you choose. You can then use the same certificate to terminate at the (sub)domain of your choosing, and put multiple copies of the web app or different web apps on different ports by rules that load balance or route things different based on the URL paths or whatever. So sales.mydomain.com can be a generic termination to where you host this, then you can use rules to route to different web apps based on URL path components or other factors. This also means the user does not need to specify a port in their connection if you are listening on port 443 and forwarding to the port of your choosing in the web app.
2 Likes
Douglas, thanks for this recommendation. I can confirm that this approach works well. It was a little tricky in the beginning, but it has now become part of our standard deployment methodology. We let haproxy handle the SSL certificates from Let’s Encrypt, and that spares the Xojo Web Apps from having to worry about them.
1 Like
so I succeded in downloading a certificate from let’s encrypt,
I used “sales.mydomain.com” when certbot asked me for the domain name
it downloaded the certificates into the etc/letsencrypt/live/mydomain folder it created
I had to cat the cert.pem and the privatekey.pem into the myxojowebapp.crt
and the xojo app is now considered as secure by the browsers.
I still have to figure out how to cat the cert files automatically each 3 months…
you need to be root to open the letsencrypt folder with the keys…
may be I will investigate this load balancer thing…
thanks everyone.
why not create crontab -e job?
I know how to make a cron job, it’s just the script of the job that bothers me !
but I will investigate this, I have 3 months to get it right…
At the bottom of the page I provided earlier.
1 Like