Hi,
This is nothing to do with Web Core as such. CORS has been working fine but today it failed. I tracked it down to the fact that my certificate registered in HTTPConfig had expired. The certificate had been automatically renewed. Is there any way of updating the entry in the HTTPConfig SSL settings?
Thanks,
Ken
I honestly haven't tried this yet, but there's a blog post here that suggests a way to automate the certificate updates, at least in the case of Let's Encrypt. The non-automated way is to remove the entries in the TMS HTTPConfig Tool and re-add them again with the new certificate. Not so fun.
Also, if you're interested in monitoring your SSL certificate, you can get the expiration date using curl via something like the following.
curl https://carnival.500foods.com:10414 -vI --stderr - | grep "expire date" | cut -d":" -f 2- | cut -c2-7
This returns something like "Aug 29". Handy if you have a place to show the output. I use HomeAssistant and add this to its dashboard for all the domains (and XData servers) that use SSL. Then I can tell when they are renewed automatically, in some cases, or need attention, in others.
A similar curl command can be used to check whether a server is running. For a regular website (or a TMS WEB Core project) it might look like this.
response=$(curl -Lik -m 3 https://www.500foods.com/ -o /dev/null -w "%{http_code}\n" -s); test "$response" -eq 200 && echo "Up" || echo "Down"
For an XData server, you can try something like this, where the presence of the Swagger page is used to confirm that the XData server is running.
response=$(curl -Lik -m 3 https://carnival.500foods.com:10414/Core/swaggerui/ -o /dev/null -w "%{http_code}\n" -s); test "$response" -eq 200 && echo "Up" || echo "Down"
These can be combined into a functional display like this. No doubt any other kind of dashboard would work as well, just using HomeAssistant as an example here.
I had a run at updating the renewal certificates automatically. Success! But not quite as simple.
So as the blog post suggests, you'll need a script to run when the renewal happens. It needs a key and a location for where the certificate is stored, so the script is good there. EG, in C:\scripts\renewal.bat, something like the following.
ECHO Renewing SSL: Port 443
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=%1 certstorename=%2 appid={00000000-0000-0000-0000-000000000000}
ECHO Renewing HTTP: Port 80
netsh http delete sslcert ipport=0.0.0.0:80
netsh http add sslcert ipport=0.0.0.0:80 certhash=%1 certstorename=%2 appid={00000000-0000-0000-0000-000000000000}
ECHO Renewing HexaGongs: 65432
netsh http delete sslcert ipport=0.0.0.0:65432
netsh http add sslcert ipport=0.0.0.0:65432 certhash=%1 certstorename=%2 appid={00000000-0000-0000-0000-000000000000}
In my case, it is one IP with multiple ports, so the process involves adding the same SSL cert for each. All good so far.
If you're using the Win-Acme tool with LetsEncrypt (wacs.exe), it registers a "renewal" task in the Windows Task Scheduler. You have to use the wacs command to update this renewal. The important bit is to adjust the "installation" option:
Here, you want to launch the script and pass it the two parameters we need: {CertFingerprint} and {StoreName}:
After which it will run the script right away, renewing the certificates and (presumably!) doing this each time a renewal occurs.
And an extra word of caution - if you don't pass the correct parameters to the script, as it is written, the "delete" part of the script will still happen - leaving you with no certificates. Be sure to test well before going for lunch 
Also, be sure that you're using the latest version of WinAcme - some of this stuff will very likely not work otherwise - I had to update mine, even though it wasn't that old.
Hi Andrew,
Thanks for your detailied investigation into this.
I use Certify The Web to renew my LetsEncrypt cerificates. I already use its built in task to save the new certificate to the local store but looking at it further it also looks as if it can update the bindings.
I will experiment with this tomorrow and let you know how I get on.
Thanks,
Ken
Whoops... {StorePath} rather than {StoreName} (screenshot is correct).
Sorry, I forgot about this.
I can confirm that Certify the Web can automatically update the SSL key binding.
Great! Always nice to have multiple options.
Also, check out this question ->
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
