cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to use LetsEncrypt certificate with Mobilink on Windows

former_SQLA_member1694873
Participant

on ‎2019 May 31 12:03 PM

0 Kudos
1,880

I've tried a couple of ways to start MobiLink with a certificate from LetsEncrypt, but so far with no success.

First I tried getting a certificate using this method: 

.\\wacs.exe --store centralssl --centralsslstore C:\\CentralSSL\\
which creates the certificate and stores it as C:\\CentralSSL\\mycertificate.pfx. Then I tried starting MobiLink with the -x option set to 
-x HTTPS(host=172.254.35.101;port=443;identity=C:\\CentralSSL\\mycertificate.pfx)
However, mlsrv17 fails to start, and gives the error 
SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x00000000

So I tried converting the .pfx file to a .crt file using openssl and changing the MobiLink -x option approriately, but still get a parsing error, this time:

SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x0d0680a8

Then I tried another way, to get and install the certificate using this method 

.\\wacs.exe --store certificatestore --certificatestore My
which creates the certificate in the Windows Certificate Store. However, I don't know how to tell MobiLink to use that version of the certificate. Is there a way to point the identity option to the Windows Certificate Store?

Has anyone ever tried this? Any advice?

EDIT: A bit more information - I discovered that the .crt file generated above contains Bag Attributes before the actual certificate. I removed them with the command openssl x509 -in mycertificate.crt -out mycertificate.crt and then MobiLink starts without complaint BUT the connections still fail, now with error code 8. I know it's not specifically a network problem since it all works fine with HTTP.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
VolkerBarth
Contributor
‎2019 May 31 1:07 PM
0 Kudos

However, I don't know how to tell MobiLink to use that version of the certificate. Is there a way to point the identity option to the Windows Certificate Store?

I don't know, either, but for secure web client procedures, you can specify "file=*" to access certificates from the OS store, as documented here. I don't know whether the same applies to MobiLink servers or SQL Anywhere web servers.

former_SQLA_member1694873
Participant
‎2019 May 31 1:38 PM
0 Kudos

Following that suggestion, I tried 

identity=*
and got the error 
SQLANYm_balanceML: <main> [-10117] Stream Error: Unable to open certificate file '*'

Accepted Solutions (0)

Answers (1)

Answers (1)

regdomaratzki
Product and Topic Expert
Product and Topic Expert
‎2019 May 31 2:36 PM
0 Kudos

Can you describe what you mean by "use a certificate from LetsEncrypt" ?

LetsEncrypt is a Certificate Authority (CA). What is typically stored in the certificate store for a CA is the public certificate for that CA, which is used by clients connecting to a server, not the server itself.

Typically, you'll create a certificate request, which consists of a public and private portion. The private portion is password protected, and you typically don't let anyone else see that. You send the public portion of your certificate request to a CA, they sign it, then return the signed certificate request to you. This signed public certificate request along with the private portion of your certificate request make up your identity file, which is what you need to provide to the ML Server, along with the password for your private certificate. Now, any MobiLink Client that wants to connect to the ML Server can do so as long as they have the public certificate for the CA that signed your request.

I don't think exporting the LetsEncrypt certificate from the certificate store will get you a server-side certificate that you can use when starting the MobiLink Server.

Reg

Show replies
Show replies
former_SQLA_member1694873
Participant
‎2019 May 31 4:56 PM
0 Kudos

Thanks for your reply. I've been using LetsEncrypt for a number of years to create certificates for https with nginx under linux. Also, I have previously been able to use them with IIS under Windows. However, there is a new way to get them for Windows using the wacs program that I mentioned in the OP but it doesn't seem to be working for me. Have you used the new wacs program? Any help there would be appreciated.

Ask a Question