Blog

All Blog Posts  |  Next Post  |  Previous Post

Enable HTTPS in your REST server with Free SSL/TLS Certificate from Let’s Encrypt

Bookmarks: 

Thursday, April 19, 2018


Updated: April 11th, 2021.

One of the most important aspects of a REST API server is security. It should be mandatory that your data is encrypted while being transferred between client and server. And the “standard” way to do such encryption is using HTTP Secure (HTTPS).

TMS Software Delphi  Components

To support HTTPS in your server, you need an SSL/TLS certificate. Not so long ago, this was a task that was relatively annoying/hard to do, and it would also require you to pay yearly fees for that. That’s not true anymore, since the release of Let’s Encrypt. From their website: “Let’s Encrypt is a free, automated and open Certificate Authority”. What does that means, basically? You can now have SSL/TLS certificates for free. And automatically!

You can use Let's Encrypt to generate SSL/TLS certificate for any TMS Sparkle-based server (like TMS XData, for example). Thus, if you want more info about Let’s Encrypt and how its system works, please visit their web site to learn more about how it works.

To install a Let’s Encrypt certificate in your TMS Sparkle server, we are going to use a tool named win-acme (Simple ACME Client for Windows, WACS - Windos ACME Simple). It was formerly called letsencrypt-win-simple (LEWS). 

The tool is very simple to use and self-explanatory. There are many ways to validate your certificate, from self-hosted server to DNS modifications, including Cloudflare integration, for example. Refer to WinAcme documentation to learn what's the best option for you.

The only trick you need to be aware is that when WinAcme generates a certificate (regardless if it's a new or renewal), it gives you the possibility to execute a batch script. This is very useful so we can automatically bind the new certificate with Sparkle using netsh tool.

So, you can simply create a file named bindcertificate.bat - as suggestion, use the name you want - with the following content: 

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=%1 certstorename=%2 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The GUID in appid above could be anything. You can change to a GUID value you want, or just use what's there. 

And ask WinAcme to execute such script upon every certification generation. LE will then pass the certificate footprint in parameter %1 and the store name in parameter %2, and the certificate will be bound to Sparkle automatically in each renewal.

And that's it! Your server now supports HTTPS forever, for free!



Wagner Landgraf


Bookmarks: 

This blog post has received 12 comments.


1. Thursday, April 19, 2018 at 1:53:49 PM

I watched the video and it all looks very easy.
Thanks for sharing it with us.

Ronald Janse


2. Thursday, April 19, 2018 at 2:04:52 PM

Glad you liked Ronald, thank you.

Wagner R. Landgraf


3. Thursday, April 19, 2018 at 7:00:20 PM

Sweet !! Thanks

Farias Anderson


4. Thursday, April 19, 2018 at 8:52:06 PM

Thanks Anderson, you''re welcome!

Wagner R. Landgraf


5. Friday, April 20, 2018 at 1:49:14 AM

This is excellent!

Ian Barker


6. Friday, April 20, 2018 at 1:00:09 PM

Thanks Ian!

Wagner R. Landgraf


7. Tuesday, May 08, 2018 at 2:29:39 PM

tentei não consegui instalar segui todos os passo .
Erro apresentado:

1-[EROR] Error encoutered whila opening certificadostore. the system cannot find file especified

2-[EROR] create certificate the system cannot find the file especificad
vc teria uma sugestão pra me ajudar

To instalando no windows sever 2008 r2

Grupo WS sISTEMA


8. Monday, May 14, 2018 at 6:58:28 PM

Envie um e-mail para o nosso suporte com as informações detalhadas para podermos ajudar!

Wagner R. Landgraf


9. Wednesday, October 10, 2018 at 4:19:27 PM

Really great, works like a charm, thanks!

Bossier Peter


10. Wednesday, October 10, 2018 at 4:38:25 PM

Thanks Peter ;)

Bruno Fierens


11. Monday, March 29, 2021 at 1:08:39 AM

Hello, could you please update this article? I cannot process the step: Create LetsEncrypt account.
It looks that ACME Client which you mentioned is not supported.
See my error code:
"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2"

Could you please help me how to continue?

Ondrej Pillar


12. Monday, March 29, 2021 at 1:50:12 PM

You can download their latest version. The process is pretty much the same, just the option names and order might have changed.

Wagner R. Landgraf




Add a new comment:
Author:
Email:
  You will receive a confirmation mail with a link to validate your comment, so please use a valid email address.
 
Comment:
 
 

All fields are required.
 



All Blog Posts  |  Next Post  |  Previous Post