Certificate for Secured WebSocket


#1

I’m developing my own websocket server. It works fine for ws (http) handshake, and now I want to go on, making secured handshake (https) via TLS 1.2. So I need a certificate with private key available to make it run. The websocket server is running standalone without any commercial internet servers, listening to port 80 for ws communication and 443 for https wss communication. The websocket server has a separate IP totally isolated of my web provider, but it will be accessed from a https web page.

Which certificate do I need to use and is it possible to get it from Let’s Encrypt? I need all necessary files to load certificate data by my own, and browsers are satisfied to tell users they have a secured connection.


#2

Hi @Symundo

you need a certificate with the correct domain name you are using. So if the web page wants to connect

https://www.example.com/

you need a certificate with the domain name www.example.com. It’s irrelevant if you use Letsencrypt or another CA.

If you want a certificate, you have always a private and a signed public key. Then it’s a question of your software to use these files correct.


#3

Seems you are german, me too.

The server has currently an IP only. The websocket server will be accessed by something like

“ws://85.183.71.58:80/chat”

This IP is static, provided by Telefonica in Germany.

Is this any problem?


#4

You can’t create a public trusted certificate via Letsencrypt with a domain name. There are some - rare - websites with ip-certificates (like https://1.1.1.1/ ), but this is something for the future.

So your server needs a public domain name and a connect like

wss://yourdomain/chat


#5

OK, how do I get this public domain name?
Do I have to ask my web provider Telefonica?


#6

I don’t know if Telefonica offers domains. But you can ask your webhoster

or a standalone domain registrar (sample: INWX).


#7

This is Strato. Do you agree to ask them?


#8

Perhaps. More relevant: What client can you use?

You need a client to get a certificate. And you need a working challenge. If you don’t have a webserver, you can use dns-validation. But then it’s good if your dns provider has a supported API.

INWX has an API. I don’t know if Strato has one.


#9

Now I understand.

My Strato Hoster page is https://www.tap-con.de

For my external server I use

www.tap-con-WS.de for example registered independently for IP 85.183.71.58

Then I would get a certificate for, right?


#10

I need access to several data, reading it from file. Here the certificate, but not Hex, of course

Const sCert = "080000240022000A00140012001D00170018001901000101010201030104001C" _
            & "00024001000000000B0001B9000001B50001B0308201AC30820115A003020102" _
            & "020102300D06092A864886F70D01010B0500300E310C300A0603550403130372" _
            & "7361301E170D3136303733303031323335395A170D3236303733303031323335" _
            & "395A300E310C300A0603550403130372736130819F300D06092A864886F70D01" _
            & "0101050003818D0030818902818100B4BB498F8279303D980836399B36C6988C" _
            & "0C68DE55E1BDB826D3901A2461EAFD2DE49A91D015ABBC9A95137ACE6C1AF19E" _
            & "AA6AF98C7CED43120998E187A80EE0CCB0524B1B018C3E0B63264D449A6D38E2" _
            & "2A5FDA430846748030530EF0461C8CA9D9EFBFAE8EA6D1D03E2BD193EFF0AB9A" _
            & "8002C47428A6D35A8D88D79F7F1E3F0203010001A31A301830090603551D1304" _
            & "023000300B0603551D0F0404030205A0300D06092A864886F70D01010B050003" _
            & "81810085AAD2A0E5B9276B908C65F73A7267170618A54C5F8A7B337D2DF7A594" _
            & "365417F2EAE8F8A58C8F8172F9319CF36B7FD6C55B80F21A03015156726096FD" _
            & "335E5E67F2DBF102702E608CCAE6BEC1FC63A42A99BE5C3EB7107C3C54E9B9EB" _
            & "2BD5203B1C3B84E0A8B2F759409BA3EAC9D91D402DCC0CC8F8961229AC9187B4" _
            & "2B4DE100000F000084080400802012FF241B6BFA58B042CCC7AC837AC0C58E9C" _
            & "87EB6202F1715C07EF47A295E297B57FD0CFADA0A29EE7D3AAC739F985EA0071" _
            & "A01C8BF5BB9C45A2E2F0C9E1D46279C3ABD736453374A9DA1074CF3F61922C23" _
            & "9FB15E9C99FBCD0C6EB528552159FFD1742B93B5A030B5FA324B0673717BD934" _
            & "3CC69E047655D34A2303B0347B14000020645DF111E961ED67985FF04E4CEA9D" _
            & "508FB1997FDC1923BA2622EFB1E580E7FD"
GetCertData = HexToByte(sCert)

#11

Then you have already a domain name you can use.


#12

Confused.
I have asked Strato for certificate but they cannot / are not willing to give me. They say this is a certificate used for all websites of Strato.

I cannot use the same domain name for different IPs to access, was my oppinion, in this special case the IPs of Strato and mine are totally different.
But maybe I’m not well informed.


#13

Then you should first read some basics.

If you create your own webclient, normally you need a server with root access. So you don’t use a certificate from Strato. Instead, install your own client and create an own Letsencrypt certificate.


#14

Probably @JuergenAuer has already explained this completely, but I’ll try to summarize again:

  • Your certificate needs to be for a public DNS domain name
  • It needs to be a name that you control, or that is pointed at a server that you control
  • You create the certificate yourself, by running a Let’s Encrypt client application (normally on the web server itself)
  • After doing this, you’ll have all of the associated files; you also need to renew (that is, re-request) the certificate regularly because it’s only valid for 90 days

For example, if you had ws.example.com pointed at your server, you could install a Let’s Encrypt client application on that server and then use that application to request a Let’s Encrypt certificate covering ws.example.com. Let’s Encrypt would connect to the server to confirm that you control it, and then issue the certificate, which the client application would save on disk.

I would note that I don’t see www.tap-con-ws.de pointing to any IP address at all. Are you sure that this is publicly visible and not just something that you set up locally in a hosts file on your computer or something?


#15

I would note that I don’t see www.tap-con-ws.de pointing to any IP address at all. Are you sure that this is publicly visible and not just something that you set up locally in a hosts file on your computer or something?

You are correct. Currently there is no url existing with this name. There is only an IP for my server.


#16

I don’t think the terminology you used here (“url” and “IP”) has the exact meaning that you intended.

But in any case, you can’t ever get a certificate from Let’s Encrypt for a domain if that domain hasn’t been registered yet. And tap-con-ws.de hasn’t been registered yet, so you can’t prove to Let’s Encrypt that you control it, so Let’s Encrypt can’t issue a certificate for it.