cancel
Showing results for 
Search instead for 
Did you mean: 

How to use LetsEncrypt certificate with Mobilink on Windows

0 Kudos
1,877

I've tried a couple of ways to start MobiLink with a certificate from LetsEncrypt, but so far with no success.

First I tried getting a certificate using this method:

.\\wacs.exe --store centralssl --centralsslstore C:\\CentralSSL\\
which creates the certificate and stores it as C:\\CentralSSL\\mycertificate.pfx. Then I tried starting MobiLink with the -x option set to
-x HTTPS(host=172.254.35.101;port=443;identity=C:\\CentralSSL\\mycertificate.pfx)
However, mlsrv17 fails to start, and gives the error
SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x00000000

So I tried converting the .pfx file to a .crt file using openssl and changing the MobiLink -x option approriately, but still get a parsing error, this time:

SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x0d0680a8

Then I tried another way, to get and install the certificate using this method

.\\wacs.exe --store certificatestore --certificatestore My
which creates the certificate in the Windows Certificate Store. However, I don't know how to tell MobiLink to use that version of the certificate. Is there a way to point the identity option to the Windows Certificate Store?

Has anyone ever tried this? Any advice?

EDIT: A bit more information - I discovered that the .crt file generated above contains Bag Attributes before the actual certificate. I removed them with the command openssl x509 -in mycertificate.crt -out mycertificate.crt and then MobiLink starts without complaint BUT the connections still fail, now with error code 8. I know it's not specifically a network problem since it all works fine with HTTP.

Accepted Solutions (0)

Answers (1)

Answers (1)

regdomaratzki
Product and Topic Expert
Product and Topic Expert
0 Kudos

Can you describe what you mean by "use a certificate from LetsEncrypt" ?

LetsEncrypt is a Certificate Authority (CA). What is typically stored in the certificate store for a CA is the public certificate for that CA, which is used by clients connecting to a server, not the server itself.

Typically, you'll create a certificate request, which consists of a public and private portion. The private portion is password protected, and you typically don't let anyone else see that. You send the public portion of your certificate request to a CA, they sign it, then return the signed certificate request to you. This signed public certificate request along with the private portion of your certificate request make up your identity file, which is what you need to provide to the ML Server, along with the password for your private certificate. Now, any MobiLink Client that wants to connect to the ML Server can do so as long as they have the public certificate for the CA that signed your request.

I don't think exporting the LetsEncrypt certificate from the certificate store will get you a server-side certificate that you can use when starting the MobiLink Server.

Reg

0 Kudos

Thanks for your reply. I've been using LetsEncrypt for a number of years to create certificates for https with nginx under linux. Also, I have previously been able to use them with IIS under Windows. However, there is a new way to get them for Windows using the wacs program that I mentioned in the OP but it doesn't seem to be working for me. Have you used the new wacs program? Any help there would be appreciated.