Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread |
Messages 1 to 10 of 11 total |
SSL with EWB |
Fri, Apr 13 2018 9:01 AM | Permanent Link |
kamran | Hi
Anybody care to explain how the new EWB with SSL will operate ? Assuming I have multiple domains: http://www.abc.com http://www.xyz.com 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ? 3. Is it SSL certificate per website or SSL per IP Address ? 4. To understand better ..could that be illustrated in a real life scenario with particular reference to an EWB Web App running under SSL 5. Any recommendations for buying "SSL cert" for use with multiple (different) domains ? Thanks Kamran |
Fri, Apr 13 2018 9:59 AM | Permanent Link |
Matthew Jones | kamran wrote:
> Any recommendations for buying "SSL cert" for use with multiple (different) domains ? I cannot answer for Tim and EWB, but I hope very much that even if it doesn't support it directly, that EWB 3 will allow operation with Let's Encrypt, which provides free SSL certificates. It isn't hard to allow support - you have to permit http traffic to /.well-known, and you have to update with the new certificates when they are available. With those two things, anyone can add support. And if the server doesn't support http (only SSL/TLS), then the first part is easy to do anyway. I have a little service that takes an HTTP request and redirects the browser to https, unless it is a /.well-known request. This allows people to use the easy default for their browser entry, and end up on the https service. The server would probably have to support multiple certificates to allow different domains to be used - that isn't easy from what I understand, but is quite possible. Just got to intercept at the early point instead of the easy point. But I am happy to assist Tim in any way with Let's Encrypt code. I have a basic system that works for this - not particularly pretty but viable for such integrating, and am aware of a pure Delphi solution too (ICS library based). -- Matthew Jones |
Fri, Apr 13 2018 3:32 PM | Permanent Link |
Raul Team Elevate | On 4/13/2018 9:01 AM, kamran wrote:
> Anybody care to explain how the new EWB with SSL will operate ? Tim is only one at this point that would know full details but SSL/TLS is pretty generic in terms of operation. Certificate side of things is generally independent of any specific implementation so here's an attempt to answer some of these > 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc If you want Certificate Authority signed cert then yes you need to obtain one cert per host(s) or domain if going for wildcard. Let's Encrypt is free and Matthew mentioned it. Otherwise you have to buy. You can self-sign if you fully control all clients as well but considering how cheap or free certs are i'd use let's encrypt or comodo (thru k software for example). > 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ? Likely not if EWB has native TLS support. however the overall operation would be same as with stunnel - you provide certs to allow comms encryption. > 3. Is it SSL certificate per website or SSL per IP Address ? Certificate can not be assigned to IP at all. Only to dns names/domains. You can do either cert with single host (or multiple hosts if CA supports subject alternaitve name - most do) or wildcard per domain (*.abc.com for example) for unlimited hosts for same domain. > 4. To understand better ..could that be illustrated in a real life scenario with particular reference to an EWB Web App running under SSL Can you clarify ? EWB would not be any different that any other TCP based server using certs (from apache to sql). > 5. Any recommendations for buying "SSL cert" for use with multiple (different) domains ? Let's Encrypt (https://letsencrypt.org/) is totally free but you really want to automate the renewal since these are 90 day certs. And they now issue wildcard as well. Otherwise we have used k software and like them - they resell Comodo for $20/year/cert (http://ksoftware.net/ssl_certs.html) Raul |
Fri, Apr 13 2018 3:39 PM | Permanent Link |
Raul Team Elevate | On 4/13/2018 9:59 AM, Matthew Jones wrote:
> I cannot answer for Tim and EWB, but I hope very much that even if it doesn't support it directly, that EWB 3 will allow operation with Let's Encrypt, which provides free SSL certificates. No doubt you can use LE certs - they are regular certs. however if you mean automate requests and auto renewal .... > It isn't hard to allow support - you have to permit http traffic to /.well-known, and you have to update with the new certificates when they are available. It's not hard but it's not trivial either to add ACME protocol support. Dev doing it manually using 3rd party client likely is easiest in the beginning. We looked into it for a bit but for now doing it partially manually since number of cert we require is small. > The server would probably have to support multiple certificates to allow different domains to be used - that isn't easy from what I understand, but is quite possible. Just got to intercept at the early point instead of the easy point. That would be nice. TLS SNI is only way to really achieve this AFAIK (server on same port/ip for all domains). Raul |
Sat, Apr 14 2018 5:51 AM | Permanent Link |
Matthew Jones | Raul wrote:
> > It isn't hard to allow support - you have to permit http traffic to /.well-known, and you have to update with the new certificates when they are available. > > It's not hard but it's not trivial either to add ACME protocol support. > > Dev doing it manually using 3rd party client likely is easiest in the beginning. That's why I suggested the specifics I did - the server just has to do two things - allow HTTP access to a .well-known directory, and update a certificate when it sees a new one appear. The rest can be done using whatever tool someone wants to put in place then. I have such tooling from open source and a single thread object I include in my servers. Perhaps I should document it... If this is of interest, let me know. -- Matthew Jones |
Sat, Apr 14 2018 11:38 AM | Permanent Link |
Raul Team Elevate | On 4/14/2018 5:51 AM, Matthew Jones wrote:
> That's why I suggested the specifics I did - the server just has to do two things - allow HTTP access to a .well-known directory, and update a certificate when it sees a new one appear. The rest can be done using whatever tool someone wants to put in place then. I have such tooling from open source and a single thread object I include in my servers. Perhaps I should document it... If this is of interest, let me know. That would be fantastic - would love to see what you've done to make it more automated and then maybe can contribute something back Every time i do the semi-manual process we use - which is approx every 90 days - i'm thinking of improving it but it takes like 10 min and there are always other more pressing matters .... Raul |
Mon, Apr 16 2018 10:14 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | << 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc >> Yes, unless you get a wildcard certificate. << 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ? >> No. << 3. Is it SSL certificate per website or SSL per IP Address ? >> It is per-domain. With EWB 3, you'll simply purchase the cert, install it into Windows using the cert provider's instructions, and then select it for use in the EWB 3 web server settings. Tim Young Elevate Software www.elevatesoft.com |
Mon, Apr 16 2018 10:19 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Matthew,
<< I cannot answer for Tim and EWB, but I hope very much that even if it doesn't support it directly, that EWB 3 will allow operation with Let's Encrypt, which provides free SSL certificates. >> Nope, at least not for a while. I've got a list a mile long with EWB, and I'm months out on any new features that aren't already on the list. << The server would probably have to support multiple certificates to allow different domains to be used - that isn't easy from what I understand, but is quite possible. Just got to intercept at the early point instead of the easy point. >> EWB 3's web server does *not* support multi-tenancy. Remember, it's a *free* web server that we're providing for convenience along with EWB so that deployment is simple and easy for small to medium installations. If you're using more than one domain, then you'll need to set up 3 different named servers with different settings. << But I am happy to assist Tim in any way with Let's Encrypt code. I have a basic system that works for this - not particularly pretty but viable for such integrating, and am aware of a pure Delphi solution too (ICS library based). >> It's never the code that's an issue - it's the amount of time needed to document and support it. I'm trying to keep things as simple as possible, and becoming the primary support point for cert acquisition/expiration, etc. issues is not something that I'm interested in dealing with at this time. Tim Young Elevate Software www.elevatesoft.com |
Mon, Apr 16 2018 3:39 PM | Permanent Link |
kamran | Hi *thanks* to everyone:
For clarifying SSL with EWB. Cheers Kamran Tim Young [Elevate Software] wrote: << 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc >> Yes, unless you get a wildcard certificate. << 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ? >> No. << 3. Is it SSL certificate per website or SSL per IP Address ? >> It is per-domain. With EWB 3, you'll simply purchase the cert, install it into Windows using the cert provider's instructions, and then select it for use in the EWB 3 web server settings. Tim Young Elevate Software www.elevatesoft.com |
Tue, Apr 17 2018 4:49 AM | Permanent Link |
Matthew Jones | Tim Young [Elevate Software] wrote:
> I'm trying to keep things as simple as possible Which is indeed fair enough. There are just two things to do to allow "third party" certificate updates, and both are probably easy if you do nothing. 1. Allow http access to /.well-known/ path and those underneath. If you are not doing anything on the http port, that's sorted. 2. Allow some way to reload the certificate. At worst, that's restarting the service. At best, spotting that a new certificate file has appeared and adopting it at a convenient moment (determining convenient is the hard part!). The intermediate is allowing some way for the service to be told to adopt without a full shut down. With those two facilities, which as I say can be done without explicit support if necessary, a third party solution can be used. I shall look into a way to get my solution out as a demo. It isn't pretty, but it has worked on my machines for some years now, and has been reliable. -- Matthew Jones |
Page 1 of 2 | Next Page » | |
Jump to Page: 1 2 |
This web page was last updated on Friday, September 13, 2024 at 03:42 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |