SystemLink Forum

cancel
Showing results for 
Search instead for 
Did you mean: 

LetsEncrypt support / tutorial

Solved!
Go to solution

Thanks, that's a better idea to do it there. I'll just ignore the config tool 😉

0 Kudos
Message 11 of 16
(1,740 Views)

andre.buurman@carya wrote:

 

This doesn't require you to install the certificates via the web server config tool.


Note that depending on the clients you use to access the web server, you may need to manually keep C:\ProgramData\National Instruments\Web Server\config\root.cer up to date as well if you aren't going through the NI Web Server configuration utility. It contains the root CA certificate for the SystemLink API, at least the LabVIEW version, to communicate with the server securely, even when using a self-signed certificate.

 

The configuration utility will attempt to check and synchronize that file each time you launch it, which may interfere with you manually updating it.

0 Kudos
Message 12 of 16
(1,731 Views)

Hi Paul,

 

What's the life span of that certificate? Isn't there an automated renewal of that certificate as I can imagine that no sys admin would startup the config util on a regular basis just to update that certificate? Or is that certificate depending on e.g. the LetsEncrypt certificate?

 

Trying to understand the certifcate update scheme and interdependencies. In my current setup I'm not overwriting the orginal SL certifcates, just pointing the web server to a different set.

Regards,
André (CLA, CLED)
0 Kudos
Message 13 of 16
(1,712 Views)

andre.buurman@carya wrote:

 

What's the life span of that certificate? Isn't there an automated renewal of that certificate as I can imagine that no sys admin would startup the config util on a regular basis just to update that certificate? Or is that certificate depending on e.g. the LetsEncrypt certificate?


The root.cer file is the CA certificate from Let's Encrypt, which isn't going to change very often. Specifically, I believe it would be the ISRG Root X1 that you can download from https://letsencrypt.org/certificates/ (pem format).

 

For maximum compatibility, you'll also want to ensure the certificate file that the web server is using contains the intermediate certificate chain. I'm not familiar with the Let's Encrypt tools to know whether the certificate it gives you already contains the chain or not, but it would be a series of certificates one after the other in the same .cer file. From that same link, I believe that means you would want the Let’s Encrypt R3 certificate appended to yours.

0 Kudos
Message 14 of 16
(1,705 Views)

Sorry for hijacking a closed thread, Posting it here since my question involves modifying the default webservice conf file.

 

Q: Is there a way to configure the webservices to verify the client certificate and also to provide the path to the client CA?

I'm trying to do two way SSL / Mutual authentication.

 

Configuring the HTTP client to authenticate/verify the server is straight forward, On the webservices side we don't have the option to enable the client verification.

 

niembeddedws.conf file has options to configure the server certs but no options to enable client verification/Client CA to configure.

 

Any help in this regard is greatly appreciated,

 

Thanks,

 

0 Kudos
Message 15 of 16
(1,428 Views)

@txs40 wrote:

Sorry for hijacking a closed thread, Posting it here since my question involves modifying the default webservice conf file.

 


Hello, I would suggest a new thread in the LabVIEW forum, particularly because niembeddedws.conf isn't related to SystemLink and actually refers to a different web server technology than the NI Web Server that this thread is referring to. I'm not sure if the web server used by LabVIEW web services can be made to support client authentication.

Message 16 of 16
(1,409 Views)