My web server is (include version): Boost.Beast version 1.0.0
The operating system my web server runs on is (include version): Windows 10
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): I do have the web server on my own computer; I wrote a C++ console app that acts as the server and it uses example server code from Boost.Beast.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A
I left the command stuff blank because I haven’t tried to run commands for this anywhere (don’t know what commands to run where, anyway).
I got a free Dynamic DNS subdomain name from dynu.com. I can’t use Port 80 or Port 443 to verify domain ownership because both Ports are used by the router. I have to open and use Ports other than one or those or 8080, so I’m using Port 5501 to host my application (it’s a web application I made).
I defined Inbound and Outbound rules in the Windows Defender Firewall settings to allow connections remotely from the IP addresses mentioned on the page for verifying domain ownership, but whenever click the link for automatically verifying the domain name, I get an error sayin that either the port, host and FTP type are wrong or the firewall is configured incorrectly. I tried to FTP and FTPS on Port 21. I’m completely lost now.
Let's Encrypt policy, and, to some extent, CA industry rules don't give you this option. To prove your control of a name via an inbound connection, you must use port 80 or port 443. (I'm not sure what software is referring to FTP, or why.) The options supported by Let's Encrypt are all described at
You might be able to use Let's Encrypt's DNS-01 challenge instead (where you create DNS TXT records to prove your control over the name). There are some previous discussions on the forum involving other dynu.net users:
Posh-ACME might be a good fit. It's a PowerShell based client which works well on Windows 10 and it has a native DNS plugin for Dynu.com. There's a note on the plugin's usage guide that indicates it may not work with Dynu provided domains. But it looks like that may be an old restriction that's not valid anymore. Or it may just be limited differently now? When I try to add a TXT record from the web GUI for one of their domains on my own account, I get this message:
This DNS record type is only available for members, top level domain names and mature (registered for more than 30 days) non dynu.com third level domain names.
Yet, when I try the same action using the Posh-ACME DNS plugin, it seems to work. I also realized the plugin is using v1 of their API which has apparently been deprecated. So I may be updating that to use their new v2 version soon.
I got a certificate via acme.sh using the method suggested in one of the others threads opened by dynu.com users. But the certificate appeared in a Git bash window and it was closed before I got the chance to copy down the certificate. Do I try it again? Is there a way to get the output copied to a text file so I can get the certificate that way?
The acme.sh certs are generally in a domain folder where the acme.sh script lives (something like ~/.acme.sh/example.com). You don’t likely need to generate a new one.
If you continue to have problems, it might also help to post the answers to the typical support questions like what command you actually ran now that you’ve chosen a client and started trying things.
I didn’t specify a directory. And the app I want to secure is in a directory inside the E drive on my computer. Also, I found the acme.sh directory but the certificate doesn’t seem to be in there.
I’ve set it so I can see hidden folders too. Could it be in the .git folder? The only other folder I have whose name has a dot at the beginning is “.github”.
Make sure you have crontab installed and enabled. Home · acmesh-official/acme.sh Wiki · GitHub
acme.sh renews certificates by cronjobs, if the cronjob service is not enabled, the renewals won't work.
After the cert is successfully renewed, how do you use the cert ? You use it in IIS, or nginx or apache ? After every renewal, you must copy the cert and restart/reload the server again to make the cert propagate. You must use the --installcert command : GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
The doc is about Linux, you have to figure out how to restart nginx/apache on Windows.
@Neilpang and @_az : What is the DH certificate? Does this type of certificate provide that? And I did install ca.cer and dragonosman.dynu.net.cer, but the app itself as well as my domain name aren’t secured yet. Like I said before, I’ll have to do something like what’s done in this example: https://github.com/boostorg/beast/blob/develop/example/http/server/sync-ssl/http_server_sync_ssl.cpp , and what I currently have is this: https://github.com/DragonOsman/currency_converter . I made the server myself using the non-SSL sync server and client example code from Boost.Beast. Which certificate do I use, then, and what do I put for the DH certificate? And what about the fullchain?
Assuming you mean this, DH parameters are used for the ciphersuite configuration of your server. They are totally unrelated to your Let’s Encrypt certificate. You can generate this file like:
openssl dhparam 2048
Modern ciphersuite configurations use only ECDHE and not DHE key exchange, which makes worrying the above unnecessary. But that depends how you configure your ciphersuites.
For your certificate, you’re going to have to take your fullchain.cer file.
For your private key, you’re going to want to use your $DOMAIN.key file.
I’m confused about the password callback and ctx.set_options. Also, the cert constant should be the fullchain.cer file in my case, right? And I’m assuming I don’t need anything that mentions DH. And that’s the server_certificate.hpp file. What’s the certificate used in the root_certificates.hpp file?
And since this is a hand-made server basically, how do I automate the cert renewal for it?
I can't advise you on using Boost - there's other forums and mailing lists for that.
The usual thing to do in production environments is to use a reverse proxy to handle SSL for you. That way, you do not need to worry about the implementation details of SSL and just use regular TCP/HTTP/whatever.
Common choices are nginx, Apache, etc ... though they are largely oriented around Linux.