SystemLink Forum

cancel
Showing results for 
Search instead for 
Did you mean: 

LetsEncrypt support / tutorial

Solved!
Go to solution

Hi,

Would LetsEncrypt integration into the NI Web Server Configuration be something that could fit into the SystemLink roadmap?

 

It would be awesome to be able to generate CA signed certificates with just a few mouse clicks. The utility mentioned in sources also handles task creation for certificate renewals.

 

I am planning on trying to get it to work based on the following sources, but I don't feel quite confident as to where the NI Apache configuration differs from the default configuration as mentioned in the sources.

 

Sources:

https://github.com/PKISharp/win-acme/wiki/Apache-2.4-Basic-usage

https://commaster.net/content/how-setup-lets-encrypt-apache-windows

 

Please advise.

Regards,
André (CLA, CLED)
Message 1 of 16
(5,434 Views)

I would second this request, I think incorporating LetsEncrypt is a great idea.

Kenny

0 Kudos
Message 2 of 16
(5,420 Views)

Hi André 

 

This sounds like a good idea. 

 

I suggest posting it on the Idea Exchange board where it's much more likely to get picked up by the team responsible 🙂

 

Regards 

There are only two ways to tell somebody thanks: Kudos and Marked Solutions

Unofficial Forum Rules and Guidelines
0 Kudos
Message 3 of 16
(5,408 Views)

If have started to try and configure LetsEncrypt with the NI Web Server and need help with the following requirement:

 

LetsEncrypt executes a domain validation using an http hand-shake in which they generate a challenge in "htdocs/.well-known" that needs to be reachable through http.

 

I have my NI Web Server configured to serve SystemLink via https. NI Web Server then configures Apache to NOT serve on port 80 (http).

 

Can anyone help with the line I need to change in the NI Web Server httpd.conf (or includes) to enable only access to "htdocs/.well-known" over http and have SystemLink being served over https exclusively.

 

Thanks.

 

Regards,
André (CLA, CLED)
0 Kudos
Message 4 of 16
(5,393 Views)
Solution
Accepted by topic author andre.buurman@carya

I haven't looked into all of the requirements to use LetsEncrypt recently, but you should be able to create a new conf file in C:\Program Files\National Instruments\Shared\Web Server\conf\conf.d (named something like letsencrypt.conf) and put most of your customizations there. You should be able to make the web server listen on HTTP when HTTPS is enabled by using a conf snippet like the following:

 

# No need to enable HTTP if HTTPS is disabled.
<IfDefine TLS_ENABLED>
# Enable HTTP on whatever port we are configured to use. Listen ${LISTEN_ADDRESS}:${HTTP_PORT} <VirtualHost *:${HTTP_PORT}> <Directory "${HTDOCS_PATH}">
# Redirect all requests to HTTPS except for the .well-known directory. RedirectMatch "^(?!\/.well-known(\/|$)).*$" https://${SERVER_NAME}$0 </Directory> </VirtualHost> </IfDefine>

Standard disclaimer: that conf snippet isn't well tested and may not be best practice. Modifying the web server configuration files can affect the security of your system, may cause some features to stop working, and may break/revert on future software upgrades.

 

Another thing to be aware of is that the Windows version of Apache doesn't always handle server restarts as well as on Linux. Whenever the scheduled task to renew the certificate runs, it could cause new requests to be rejected for up to a minute and lose state such as logged in web browsers, open web socket connections, and SystemLink message sessions.

Message 5 of 16
(5,358 Views)

 Hi pspangler,

Thanks, I have it working now.

 

I followed your advise and added a 90_<name>.conf in conf.d with the suggested snippet.

I also needed to add 2 lines to override the configured certificate paths to point to where letsencrypt put's theirs.

 

I do have another question regarding: "Define SERVER_NAME"

I added an override to have it point to my SystemLink FQDN with non-standard port, so if I request anything other than the "/.well-known/" directory it would redirect to the proper https site with non-standard port instead of the default configured localhost:443.

 

Is this the purpose of the SERVER_NAME variable, or does it serve another purpose for which it needs to be pointing to localhost:443?

 

Regards,
André (CLA, CLED)
0 Kudos
Message 6 of 16
(5,348 Views)
Solution
Accepted by topic author andre.buurman@carya

andre.buurman@caryaIs this the purpose of the SERVER_NAME variable, or does it serve another purpose for which it needs to be pointing to localhost:443?

 


Yes, SERVER_NAME is intended to be the public FQDN: port of the web server to be used for redirects and link generation. The NI Web Server Configuration application currently sets that variable automatically based on local system configuration and the installed certificate, but the next version of SystemLink will support setting it directly in the UI for use cases such as this.

Message 7 of 16
(5,343 Views)

I set up Let's Encrypt on our SystemLink server with the information in this thread and certbot for windows (https://certbot.eff.org/lets-encrypt/windows-apache).

Then I used the NI web server configuration tool to install the Let's Encrypt certificate. That works, but only until a renewal is necessary. Certbot automatically renews the certificate but then I need to manually import it into the web server. Is there a way around this?

 

André, you mention to override the certificate paths, did you mean in this file: C:\Program Files\National Instruments\Shared\Web Server\conf\defines.d\50_httpd-defines.conf?. If I use the symlinks in the certbot "live" folder, the web server config tool cannot find the certificate (see screenshot).

 

0 Kudos
Message 8 of 16
(4,346 Views)

removed duplicate post

Regards,
André (CLA, CLED)
0 Kudos
Message 9 of 16
(4,340 Views)

Hi,

 

Yes, I did an override of the certificate paths as well as a http exception for the challenge.

 

I created a new file in "Shared/Web Server/conf/conf/d/90_LetsEncryptException.conf". This file is loaded last and therefor replaces earlier loaded configuration keys before it is executed.

#Override NI defines

# The name the server uses to identify itself.
Define SERVER_NAME systemlink.*****.nl:443

# The name of the certificate (.cer) and private key (.key) to use for HTTPS
# communication.
Define TLS_CERTIFICATE_PATH "C:\\ProgramData\\win-acme\\systemlink.*****.nl-chain.pem"
Define TLS_KEY_PATH "C:\\ProgramData\\win-acme\\systemlink.*****.nl-key.pem"


# No need to enable HTTP if HTTPS is disabled.
<IfDefine TLS_ENABLED>
    # Enable HTTP on whatever port we are configured to use.
    Listen ${LISTEN_ADDRESS}:${HTTP_PORT}

    <VirtualHost *:${HTTP_PORT}>
        <Directory "${HTDOCS_PATH}">
            # Redirect all requests to HTTPS except for the .well-known directory.
            RedirectMatch "^(?!\/.well-known(\/|$)).*$" https://${SERVER_NAME}$0
        </Directory>
    </VirtualHost>
</IfDefine>

 

This doesn't require you to install the certificates via the web server config tool.

 

Make sure your SERVER_NAME matches the one in the certificate.

Regards,
André (CLA, CLED)
Message 10 of 16
(4,338 Views)