Enable HTTPS in your REST server with Free SSL/TLS Certificate from Let’s Encrypt

Bookmarks: 

Thursday, April 19, 2018

One of the most important aspects of a REST API server is security. It should be mandatory that your data is encrypted while being transferred between client and server. And the “standard” way to do such encryption is using HTTP Secure (HTTPS).



To support HTTPS in your server, you need an SSL/TLS certificate. Not so long ago, this was a task that was relatively annoying/hard to do, and it would also require you to pay yearly fees for that. That’s not true anymore, since the release of Let’s Encrypt. From their website: “Let’s Encrypt is a free, automated and open Certificate Authority”. What does that means, basically? You can now have SSL/TLS certificates for free. And automatically!

The purpose of this article is to give you direct step-by-step instructions for you to install your SSL/TLS certificate for any TMS Sparkle-based server (like TMS XData, for example). Thus, if you want more info about Let’s Encrypt and how its system works, please visit their web site to learn more about how it works.

To install a Let’s Encrypt certificate in your TMS Sparkle server, we are going to use a tool named win-acme (Simple ACME Client for Windows, WACS - Windos ACME Simple). It was formerly called letsencrypt-win-simple (LEWS). The video presented at the end of this article was made when the tool still had its old name, so also some screenshots of this article will reflect that as well. But the process remains mostly the same with very small differences mentioned in this article.

In this example we are going to secure a server that responds to address http://app.devgems.com. To start with, you must have a domain name and your server must be working and responding HTTP requests to that domain name. Here is for example a screenshot of a browser request to that server. Note that it’s not secure yet



To download win-acme, go to the Releases link of its GitHub page https://github.com/PKISharp/win-acme/releases and download the latest version available. By the time this blog post was written the file name should be win-acme.v1.9.10.1.zip, but you might find a similar name with a most recent version. In case you want to use the exact version used for this server (to folllow exactly what is being done in the video and in the screenshots) you can download it from this link: https://github.com/PKISharp/win-acme/releases/download/v1.9.7.0-beta10/letsencrypt-win-simple.v1.9.7.0-beta2.zip.

Upload the downloaded file to the Windows server running your TMS Sparkle server, and extract it to any directory, for example C:\letsencrypt. You should have a folder with the files like the following:



Notice the selected file above, named letsencrypt.exe.config. It’s the config file for the tool. In most recent versions, that file would be named settings_default.config. Whatever is the name you have there depending on your version, open that file in a text editor (Notepad, for example) and search for a setting named CertificateStore. Change the value of that setting to “My”. The section of the file should look like this:

<setting name=“CertificateStore” serializeAs=“String”>
  <value>My</value>

In the same folder, create a file named bindcertificate.bat with the following content:

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=%1 certstorename=%2 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The GUID in appid above could be anything. You can change to a GUID value you want, or just use what's there. You should then have your new file in the folder:



Now open command-line with administrator rights, go to C:\letsencrypt folder if you are not already there, and run the following command. Please don't forget to replace <yourdomain> by your real domain. In the case of our example here, it would be app.devgems.com

letsencrypt --plugin manual --manualhost <yourdomain> --validation selfhosting --script "c:\letsencrypt\bindcertificate.bat" --scriptparameters "{5} {3}" --usedefaulttaskuser

Depending on the version of the tool you are using, you might be asked to enter your e-mail address and agree to the terms of condition. The e-mail address will only be used by Let's Encrypt to notify you about certificate expirations. You will only have to do that for the first time.

If everything went ok, you should have an output like this indicating the certificate was generated and installed in your computer:



You can open the MMC Snap-in to check that your certificate is installed properly:



And that's it! Not only the certificate is now installed in your server computer, but it is also configured to your TMS Sparkle server and will be renewed automatically. Your server now supports HTTPS forever! If we browse to our server address now using HTTPS, we can confirm it's using the new certificate:



The following video shows in much more details the operation described above, including using the "test" flag to test the whole process in a test environment before using the production one.



Wagner R. Landgraf


Bookmarks: 

This blog post has received 8 comments.


1. Thursday, April 19, 2018 at 1:53:49 PM

I watched the video and it all looks very easy.
Thanks for sharing it with us.

Ronald Janse


2. Thursday, April 19, 2018 at 2:04:52 PM

Glad you liked Ronald, thank you.

Wagner R. Landgraf


3. Thursday, April 19, 2018 at 7:00:20 PM

Sweet !! Thanks

Farias Anderson


4. Thursday, April 19, 2018 at 8:52:06 PM

Thanks Anderson, you''re welcome!

Wagner R. Landgraf


5. Friday, April 20, 2018 at 1:49:14 AM

This is excellent!

Ian Barker


6. Friday, April 20, 2018 at 1:00:09 PM

Thanks Ian!

Wagner R. Landgraf


7. Tuesday, May 08, 2018 at 2:29:39 PM

tentei não consegui instalar segui todos os passo .
Erro apresentado:

1-[EROR] Error encoutered whila opening certificadostore. the system cannot find file especified

2-[EROR] create certificate the system cannot find the file especificad
vc teria uma sugestão pra me ajudar

To instalando no windows sever 2008 r2

Grupo WS sISTEMA


8. Monday, May 14, 2018 at 6:58:28 PM

Envie um e-mail para o nosso suporte com as informações detalhadas para podermos ajudar!

Wagner R. Landgraf




Add a new comment:
Author:
Email:
  You will receive a confirmation mail with a link to validate your comment, so please use a valid email address.
Comment:
 
Change Image
Fill in the characters from the image above:
 

All fields are required.
 




Previous  |  Next  |  Index