New SSL Cert renewal

[lfeliz]

No that ssl Cert renewal is 200 days and probably getting shorter, is there an easy way to automate using Lets Encrypt with the Stand alone app?  In some cases I deploy on AWs behind a load balancer and SSL is managed and I just have an admin OK the renewal that arrives as a link in an email.

I am currently looking at using win acme on an IIS server where i deploy an app, but one deployment prefers the stand alone service with the  .pem ssl files as they can install multiple apps on single server using different ports   443, 8443,8444, etc.....  generating them once a years is okay, but every 6 months requires some automation and i think its work looking into Lets Encrypt for stand alone apps too. 

Has anyone used it for Stand alone apps?  

- Lou

[ioan]

No that ssl Cert renewal is 200 days and probably getting shorter, is there an easy way to automate using Lets Encrypt with the Stand alone app?  In some cases I deploy on AWs behind a load balancer and SSL is managed and I just have an admin OK the renewal that arrives as a link in an email.

I am currently looking at using win acme on an IIS server where i deploy an app, but one deployment prefers the stand alone service with the  .pem ssl files as they can install multiple apps on single server using different ports   443, 8443,8444, etc.....  generating them once a years is okay, but every 6 months requires some automation and i think its work looking into Lets Encrypt for stand alone apps too. 

Has anyone used it for Stand alone apps?  

- Lou

I created a service that downloads the certificate and then restarts intraweb service using this 
https://github.com/littleearth/delphi-acme-client

Something like this:

Code:

procedure TCertManagerThread.InitACME;
begin
  // Configure
  FProvider := FACMEOrders.Providers.GetProviderByName(FIni.Provider);
  FDomains := FIni.Domains;
  FChallengeOptions.ChallengeType := FIni.ChallengeType;
  FChallengeOptions.HTTPPort := FIni.HTTPPort;

  // Set CSR subject
  FCsrSubject.Country := FIni.Country;
  FCsrSubject.State := FIni.State;
  FCsrSubject.Locality := FIni.Locality;
  FCsrSubject.Organization := FIni.Organization;
  FCsrSubject.EmailAddress := FIni.EmailAddress;

  // Create certificate - directory is the application path + 'certs'
  FACMEOrders.StorageFolder := FDestDir;
end;

function TCertManagerThread.TryRenewAndActivate: boolean;
var
  LOrderFile: string;
begin
  result := false;
  try
    FErrorMessage := ''; // start clean
    // step 1: stop the services that use old certificates
    if not SetServicesRunning(FIni.Services, false) then
    begin
      FErrorMessage := 'New certs failed: could not stop services';
      Exit(false);
    end;
    // step 2: request new certificate
    if FACMEOrders.NewOrder(FProvider, FIni.EmailAddress, FDomains, FChallengeOptions, FCsrSubject, LOrderFile) then
    begin
      // if NewOrder is successful:
      // step 3: backup old certificate
      if BackupOldCert then
      begin
        // step 4: copy the new files over the old ones
        for var dir in FIni.DestinationFolders do
        begin
          SafeCopyFile(FACMEOrders.CertFile, TPath.Combine(dir, FIni.DestinationCertFile));
          SafeCopyFile(FACMEOrders.KeyFile, TPath.Combine(dir, FIni.DestinationKeyFile));
          SafeCopyFile(FACMEOrders.ChainFile, TPath.Combine(dir, FIni.DestinationChainFile));
        end;
        result := true;
      end;
    end;
  finally
    // step 5: restart services stopped at step 1
    if not SetServicesRunning(FIni.Services, true) then
    begin
      FErrorMessage := 'New certs failed: could not start services';
      result := false;
    end;
  end;
end;