on 2019 May 31 12:03 PM
I've tried a couple of ways to start MobiLink with a certificate from LetsEncrypt, but so far with no success.
First I tried getting a certificate using this method:
.\\wacs.exe --store centralssl --centralsslstore C:\\CentralSSL\\which creates the certificate and stores it as
C:\\CentralSSL\\mycertificate.pfx
. Then I tried starting MobiLink with the -x
option set to
-x HTTPS(host=172.254.35.101;port=443;identity=C:\\CentralSSL\\mycertificate.pfx)However,
mlsrv17
fails to start, and gives the error
SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x00000000
So I tried converting the .pfx
file to a .crt
file using openssl
and changing the MobiLink -x
option approriately, but still get a parsing error, this time:
SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x0d0680a8
Then I tried another way, to get and install the certificate using this method
.\\wacs.exe --store certificatestore --certificatestore Mywhich creates the certificate in the Windows Certificate Store. However, I don't know how to tell MobiLink to use that version of the certificate. Is there a way to point the
identity
option to the Windows Certificate Store?
Has anyone ever tried this? Any advice?
EDIT:
A bit more information - I discovered that the .crt
file generated above contains Bag Attributes
before the actual certificate. I removed them with the command openssl x509 -in mycertificate.crt -out mycertificate.crt
and then MobiLink starts without complaint BUT the connections still fail, now with error code 8
. I know it's not specifically a network problem since it all works fine with HTTP.
Request clarification before answering.
Can you describe what you mean by "use a certificate from LetsEncrypt" ?
LetsEncrypt is a Certificate Authority (CA). What is typically stored in the certificate store for a CA is the public certificate for that CA, which is used by clients connecting to a server, not the server itself.
Typically, you'll create a certificate request, which consists of a public and private portion. The private portion is password protected, and you typically don't let anyone else see that. You send the public portion of your certificate request to a CA, they sign it, then return the signed certificate request to you. This signed public certificate request along with the private portion of your certificate request make up your identity file, which is what you need to provide to the ML Server, along with the password for your private certificate. Now, any MobiLink Client that wants to connect to the ML Server can do so as long as they have the public certificate for the CA that signed your request.
I don't think exporting the LetsEncrypt certificate from the certificate store will get you a server-side certificate that you can use when starting the MobiLink Server.
Reg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your reply. I've been using LetsEncrypt for a number of years to create certificates for https with nginx under linux. Also, I have previously been able to use them with IIS under Windows. However, there is a new way to get them for Windows using the wacs
program that I mentioned in the OP but it doesn't seem to be working for me. Have you used the new wacs
program? Any help there would be appreciated.
User | Count |
---|---|
87 | |
9 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.