Atozed Forums

Full Version: SSL with WildCard certificate.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
  • Can anyone write a step by step instruction on how to enable HTTPS. I am using Intraweb 15, in http.sys mode (TIWStartHSys.Execute (False)). I am following these setup steps:
  • Configuring ServerController:
    SSLOptions.Certificate.CertFileName     SSLOptions.Certificate.KeyFileName      SSLOptions.Certificate.RootCertFileName SSLOptions.Certificate.Password         SSLOptions.Certificate.Path             SSLOptions.CipherList                   SSLOptions.Port   
  • Add libeay32.dll, ssleay32.dll to programm folder.
  • Configure HTTPS with HTTP.sys for self hosted web servers



But the SSL still don't work, Webbrowser reports: Unable to access the site, Site does not allow a connection: ERR_CONNECTION_REFUSED
What else needs to be done to enable HTTPS?

P.S. Server OS - Windows 2016 Server.
(09-16-2020, 03:19 PM)Rassamaha78 Wrote: [ -> ]
  • Can anyone write a step by step instruction on how to enable HTTPS. I am using Intraweb 15, in http.sys mode (TIWStartHSys.Execute (False)). I am following these setup steps:


See this thread: https://www.atozed.com/forums/thread-958.html

Basically, you have to install the certificate to Windows because Windows handles the connection with http.sys.
I have already done everything that is written above several times. I installed the certificate through IIS and directly through the netsh, it still does not work. Maybe WildCard certificates have customization features ? I've often heard about this in various articles.
I use wildcard certs with httpsys.  Maybe this is the issue: even though the cert is wildcard you'll still have to add an entry for every subdomain like so - 

netsh http add sslcert hostnameport="www.abc.com:443" certhash=123...
netsh http add sslcert hostnameport="ms1.abc.com:443" certhash=123...
netsh http add sslcert hostnameport="ms2.abc.com:443" certhash=123...

etc.
I have already tried all the methods, but I still cannot enable support for SSL in my project. Below I will describe all the configuration steps that I do, maybe I am doing something wrong:

1. I have a domain, let's say it's broker.com, there is a WildСard certificate  *.broker.com. IIS is running on the server where several sites are running:  https://crm.broker.com,  https://webtrader.broker.com,  https://tradersroom.broker.com they all support SSL on port 443.
2. Now I would like to start my service on the same server at: https://broker.ru/payments/ 
3. I am using Intraweb version 15.1.22 in the http.sys mode ( TIWStartHSys.Execute( False ) ).
4. I am setting the settings in the IWServerControllerBaseConfig event ( Perhaps the settings need to be set in another event ? ):

Code:
Port    := 8888; //80
URLBase := '/payments/';

Do I need to specify the path to certificates for nttp.sys? I've tried specifying and leaving the field blank.

Code:
SSLOptions.Certificate.CertFileName     := 'cert.pem';
SSLOptions.Certificate.KeyFileName      := 'key.pem';
SSLOptions.Certificate.RootCertFileName := 'root.pem';
SSLOptions.Certificate.Password         := 'pass';
SSLOptions.Certificate.Path             := 'C:\certificates\';

Can I specify the SSL port 443 if it is already in use by the IIS ? I've tried 443 and 8444.

Code:
SSLOptions.Port                        := 8444; //443

5.Further in PowerShell, I get the certificate fingerprint with the command:

Code:
dir cert:\localmachine\my

6. Then I execute the command:

Code:
netsh http add sslcert ipport=0.0.0.0:443 certhash=C30A5559BEA881A555215592F55598F85DDDC55D appid="{8555E71B-5558-4CF1-5554-743F55562F71}" certstore=my

 and I get a message something like: Certificate added successfully.
 I also tried to specify the hostnameport=payments.broker.com:443 domain instead of the IP address, while in the settings of the IWServerController, I added:

Code:
HttpSysOptions.VirtualHostNames := 'payments.broker.com';
 
also tried executing the command:

Code:
netsh http add urlacl url=https://0.0.0.0:443/ user=Users

7. I also put the libraries in the folder with the exe file: libeay32.dll and libmysql.dll, But as I understand it, these libraries are not needed when working with http.sys ?
 
After all these actions, the HTTP works fine, but when trying to access through HTTPS, the browser says that it: "Cannot load the page".

I do not know what action to take yet and I really look forward to help from this forum...
Http.sys applications don't use OpenSSL, so you can safely remove libeay32.dll from your equation.

You have all the tools with IntraWeb itself.

Here is a step by step procedure, using only our IWCertificateManager tool:

https://www.atozed.com/intraweb/certmana...lications/
I still cannot include support for SSL in my project ...
IWCertificateManager didn’t help me. I tried to install the certificate manually, it is displayed in IWCertificateManager, I also tried to create and install the certificate through IWCertificateManager itself, there is no effect.
I noticed a strange effect: when starting my service, Windows does not open the specified SSL port (SSLOptions.Port)! I tried different ports: 443, 8444, etc., maybe the service needs some additional permissions?
Do I have to fill in any other parameters besides SSLOptions.Port in http.sys mode? For example such as SSLOptions.Certificate.CertFileName,  SSLOptions.Certificate.KeyFileName,  SSLOptions.Certificate.RootCertFileName,  SSLOptions.Certificate.Password, SSLOptions.Certificate.Path ?
Can anyone give me a minimal example of a SSL + http.sys that works 100% on your server ?