When using the exacqVision Mobile app with the release of exacqVision Server 24.09 or higher, the exacqVision Mobile app will connect directly to the exacqVision Server service rather than require the intermediary exacqVision Web Service.
By default the service will listen for incoming mobile app connections on port 8443. This may be manually changed by the system administrator to accommodate network needs when needed.
<br>
Product
exacqVision Server, version 24.09 and above
exacqVision Mobile, version 24.09 and above
<br>
Steps
Log into the system running the exacqVision Server instance with administrative privileges.<br><br>
Self-signed certificates are NOT secure. It is recommended to use Let’s Encrypt (configurable via the web service UI) if you do not wish to pay for the cost of a trusted HTTPS certificate.
A self-signed certificate allows you to use a web browser, but does not work with mobile devices. Only trusted third-party certificates work with mobile devices.
This document assumes that ExacqVision Web Service 3.0 or later has been installed with the default settings.
Requirements
You will need the OpenSSL program to create a self-signed certificate. The method of obtaining this program varies based on the operating system used.
Linux – OpenSSL is included by default on all modern Ubuntu distributions. If for any reason it is not, run: sudo apt-get install openssl in a Terminal window and follow the prompts.
Windows – The easiest way is to obtain a pre-compiled executable from SourceForge:
Under the ‘Download’ section, click the link labeled ‘Zip’ beside the row labeled ‘Binaries’.
After downloading, extract (unzip) the contents of this file.
The executables extracted may then be run independently without installation. OpenSSL.exe is located within the ‘bin’ folder of the extracted Zip file contents. The following procedures explain how to continue.
Note: A certificate generated on either platform will work on the other (i.e.- a certificate generated using openssl on Linux can be used with a Windows web service).
Windows Procedure
Open a CMD window.
Navigate into the unzipped directory, then into the ‘bin’ directory in which the recently extracted OpenSSL executable resides.
Create a self-signed certificate by typing the following: openssl.exe req -new -x509 -sha256 -days 365 -nodes -out server.crt -keyout server.key -config ..\share\openssl.cnf
When running this command you will be prompted to enter several fields. Answer the questions according to your needs. COMMON NAME should be the IP address or FQDN that you use to access your ExacqVision Web Service (www.domain.com).
Place the resulting files (server.crt, server.key) according to your ExacqVision Web Service version:
8.4 and above: Use the web service configuration interface to configure HTTPS using the generated files.
Log in to your Web Service Configuration page
Expand the Configuration menu
Click HTTPS
Click Configure
Select External and import your generated .crt and .key files.
Apply the changes
Click the link to restart the web service
3.0 to 8.2: use the file explorer and CMD
place the files in the following directory C:\Program Files[ x86 ]\exacqVision\WebService\Apache\conf
Using CMD, stop the web service: net stop webservice
Using CMD, start the web service: net start webservice
Linux Procedure
Open a Terminal window
Create a self-signed certificate by entering the following command: openssl req -new -x509 -sha256 -days 365 -nodes -out server.crt -keyout server.key
When running this command you will be prompted to enter several fields. Answer the questions according to your needs. COMMON NAME should be the IP address or FQDN that you use to access your ExacqVision Web Service (www.domain.com).
Place the resulting files (server.crt, server.key) according to your ExacqVision Web Service version:
8.4 and above: Use the web service configuration interface to configure HTTPS using the generated files.
Log in to your Web Service Configuration page
Expand the Configuration menu
Click HTTPS
Click Configure
Select External and import your generated .crt and .key files. Apply the changes
Click the link to restart the web service
3.0 to 8.2: use the file explorer and Terminal
place the files in the following directory /etc/evapache
Using Terminal, restart the web service: sudo /usr/local/exacq/webservice/service.sh restart
For Instructions on exacqVision Enterprise Manager version 22.03 or older see Knowledge Base Article #12724
The following document details how to enable HTTPS connections to exacqVision Enterprise System Manager from update 22.06 and later.
For a trusted certificate, it is recommended that you purchase a third-party intermediate certificate from one of many online providers. If you are using a third-party certificate you may skip ahead to the section titled, “Obtaining a Third-Party Certificate”.
These steps will detail how to create a self-signed certificate, but be aware that web browsers will warn users that the certificate is untrusted if you are using a self-signed certificate or one from a private/internal certificate authority.
CREATING A SELF-SIGNED SSL CERTIFICATE
Windows
1) Click on the Windows Start button and type ‘CMD’. Right-click on the CMD icon and choose ‘Run as Administrator’.
2) Set the environmental variable that will be used by OpenSSL later by typing:
set OPENSSL_CONF=C:\Program Files\exacqVision\EnterpriseManager\apache\conf\openssl.cnf
Press Enter.
3) Change your working directory by typing:
cd "C:\Program Files\exacqVision\EnterpriseManager\apache\bin\"
You will be prompted to enter a PEM pass phrase. Enter anything you like but you will need to re-enter this in the following steps.
PEM pass phrase:
5) You will be prompted with several questions for the certificate, answer these according to your needs. COMMON NAME should be the IP address or FQDN that users will access to reach the ESM web site (ex. www.domain.com or esmserver.domain.com).
You will be prompted with a series of questions. – Use data specific to your site. – Items can be left blank with the exception of Common Name – Common Name (e.g. server FQDN or YOUR name) should be the IP address of EM Server
Verify the md5 hashes match, if they DO NOT then see the troubleshooting section below before proceeding.
Step 3 Edit Apache Configuration
cd /usr/local/exacq/esm/apache/conf/extra
sudo gedit httpd-ssl.conf
Make the following changes, save the file and then close gedit.
Step 4 Restart the enterprise-webservice
sudo service enterprise-webservice stop
sudo service enterprise-webservice start
<br>
OBTAINING A THIRD-PARTY CERTIFICATE
If you are planning to acquire a third-party certificate from a trusted provider, you may need to provide them with a Certificate Signing Request (CSR) file.
Enter all the fields click on the ‘Submit’ button to download the ZIP file. Inside this ZIP file is the CSR file and RSA key to give to your certificate provider.
If you purchased a chained certificate, be sure to download the appropriate intermediate bundle.
Once you have downloaded the files from your provider:
Rename the .crt file to ‘server.crt’.
Rename the .key file to ‘server.key’.
If you have a chained certificate, rename the chain file to ‘server-ca.crt’.
Place the renamed files from your Certificate Authority (CA) into the following directory:
When purchasing an SSL certificate, many providers offer an Intermediate Bundle, or additional certificates that must be present to link your certificate to a root certification authority. Usually the provider will have documentation on how to accomplish this with Apache, but it is a good idea to ask them before or during the purchasing process. Exacq is not responsible for making your certificates capable of working with Apache.
It is possible to combine all the intermediate certificates that a provider may give you into one file. Consult your provider for more information.
<br>
ENABLING SSL FOR HTTPS CONNECTIONS
Be sure that you have followed the steps above to place the certificate files necessary for either a third-party certificate or a self-signed certificate into the correct directory before continuing with the following steps.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
3) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of this line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of this line if there is one.
Save the file.
4) Still using Notepad, open the file titled ‘httpd-ssl.conf’ located in C:\Program Files\exacqVision\EnterpriseManager\apache\conf\extra
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window.
5) Restart the solrApache or exacqVision Enterprise Manager Apache in Windows services (services.msc).
Linux
1) Open a Terminal prompt.
2) Change your working directory by typing:
cd /usr/local/exacq/esm/apache/conf
Press Enter.
3) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
In the Terminal, type:
sudo gedit httpd.conf
Press Enter.
4) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of the line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of the line if there is one.
Save the file and close the ‘gedit’ editor window to return to the Terminal prompt.
5) In the Terminal, type:
sudo gedit extra/httpd-ssl.conf
Press Enter.
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window to return to the Terminal prompt.
6) Restart the service in the Terminal by typing:
sudo service ESMWebservice restart
<br>
FORCED REDIRECT FROM HTTP TO HTTPS
If you want to force users who try to access the site on port 80, using HTTP, to use the secure HTTPS connection you will need to enable a redirection.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
Remove the pound (#) signs in front of these two lines.
Save the file.
4) Restart the solrApache or exacqVision Enterprise Manager Apache service in Windows services (services.msc).
Linux
1) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
Remove the pound (#) signs in front of these two lines.
Save the file and close the ‘gedit’ window to return to the Terminal prompt.
3) Restart the service in Terminal by typing:
sudo service ESMWebservice restart or sudo service enterprise-webservice restart
<br>
TROUBLESHOOTING
1) Some versions of Internet Explorer do not easily work with services running locally or may display pages incorrectly. If this happens, try clearing the browser’s cache by pressing CTRL-F5 on the keyboard. If the problem is persistent try installing another web browser, such as Chrome.
2) If the solrApache service fails to start after configuring it for SSL:
[Wed Mar 04 09:08:54.512004 2017] [ssl:emerg] [pid 19116] AH02565: Certificate and private key www.example.com:443:0 from server.crt and server.key do not match AH00016: Configuration Failed
c) If you see this log entry, complete the following steps:
1) Change your working directory to the location of openssl.exe
Windows (CMD) – cd C:\Program Files\exacqVision\EnterpriseManager\apache\bin
3) Compare the resulting values output after running each of the preceding commands. Each resulting string should be identical. If the values do not match, confer with the certificate authority that issued the certificate.
IMPORTANT For Instructions on current versions of exacqVision Enterprise Manager versions 22.06 or higher see Knowledge Base Article #12804
This document details how to enable HTTPS connections to exacqVision Enterprise System Manager on versions 22.03 or lower.
For a trusted certificate, it is recommended that you purchase a third-party intermediate certificate from one of many online providers. If you are using a third-party certificate you may skip ahead to the section titled, “Obtaining a Third-Party Certificate”.
These steps will detail how to create a self-signed certificate, but be aware that web browsers will warn users that the certificate is untrusted if you are using a self-signed certificate or one from a private/internal certificate authority.
CREATING A SELF-SIGNED SSL CERTIFICATE
Windows
1) Click on the Windows Start button and type ‘CMD’. Right-click on the CMD icon and choose ‘Run as Administrator’.
2) Set the environmental variable that will be used by OpenSSL later by typing:
set OPENSSL_CONF=C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\openssl.cnf
Press Enter.
3) Change your working directory by typing:
cd "C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin"
You will be prompted to enter a PEM pass phrase. Enter anything you like but you will need to re-enter this in the following steps.
PEM pass phrase:
5) You will be prompted with several questions for the certificate, answer these according to your needs. COMMON NAME should be the IP address or FQDN that users will access to reach the ESM web site (ex. www.domain.com or esmserver.domain.com).
You will be prompted with a series of questions. – Use data specific to your site. – Items can be left blank with the exception of Common Name – Common Name (e.g. server FQDN or YOUR name) should be the IP address of EM Server
Verify the md5 hashes match, if they DO NOT then see the troubleshooting section below before proceeding.
Step 3 Edit Apache Configuration
cd /usr/local/exacq/esm/apache_solr/apache2/conf/extra
sudo gedit httpd-ssl.conf
Make the following changes, save the file and then close gedit.
Step 4 Restart the enterprise-webservice
sudo service enterprise-webservice stop
sudo service enterprise-webservice start
<br>
OBTAINING A THIRD-PARTY CERTIFICATE
If you are planning to acquire a third-party certificate from a trusted provider, you may need to provide them with a Certificate Signing Request (CSR) file.
Enter all the fields click on the ‘Submit’ button to download the ZIP file. Inside this ZIP file is the CSR file and RSA key to give to your certificate provider.
If you purchased a chained certificate, be sure to download the appropriate intermediate bundle.
Once you have downloaded the files from your provider:
Rename the .crt file to ‘server.crt’.
Rename the .key file to ‘server.key’.
If you have a chained certificate, rename the chain file to ‘server-ca.crt’.
Place the renamed files from your Certificate Authority (CA) into the following directory:
When purchasing an SSL certificate, many providers offer an Intermediate Bundle, or additional certificates that must be present to link your certificate to a root certification authority. Usually the provider will have documentation on how to accomplish this with Apache, but it is a good idea to ask them before or during the purchasing process. Exacq is not responsible for making your certificates capable of working with Apache.
It is possible to combine all the intermediate certificates that a provider may give you into one file. Consult your provider for more information.
<br>
ENABLING SSL FOR HTTPS CONNECTIONS
Be sure that you have followed the steps above to place the certificate files necessary for either a third-party certificate or a self-signed certificate into the correct directory before continuing with the following steps.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
3) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of this line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of this line if there is one.
Save the file.
4) Still using Notepad, open the file titled ‘httpd-ssl.conf’ located in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window.
5) Restart the solrApache service in Windows services (services.msc).
Linux
1) Open a Terminal prompt.
2) Change your working directory by typing:
cd /usr/local/exacq/esm/apache_solr/apache2/conf
Press Enter.
3) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
In the Terminal, type:
sudo gedit httpd.conf
Press Enter.
4) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of the line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of the line if there is one.
Save the file and close the ‘gedit’ editor window to return to the Terminal prompt.
5) In the Terminal, type:
sudo gedit extra/httpd-ssl.conf
Press Enter.
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window to return to the Terminal prompt.
6) Restart the service in the Terminal by typing:
sudo service ESMWebservice restart
<br>
FORCED REDIRECT FROM HTTP TO HTTPS
If you want to force users who try to access the site on port 80, using HTTP, to use the secure HTTPS connection you will need to enable a redirection.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
Remove the pound (#) signs in front of these two lines.
Save the file.
4) Restart the solrApache service in Windows services (services.msc).
Linux
1) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
Remove the pound (#) signs in front of these two lines.
Save the file and close the ‘gedit’ window to return to the Terminal prompt.
3) Restart the service in Terminal by typing:
sudo service ESMWebservice restart or sudo service enterprise-webservice restart
<br>
TROUBLESHOOTING
1) Some versions of Internet Explorer do not easily work with services running locally or may display pages incorrectly. If this happens, try clearing the browser’s cache by pressing CTRL-F5 on the keyboard. If the problem is persistent try installing another web browser, such as Chrome.
2) If the solrApache service fails to start after configuring it for SSL:
[Wed Mar 04 09:08:54.512004 2017] [ssl:emerg] [pid 19116] AH02565: Certificate and private key www.example.com:443:0 from server.crt and server.key do not match AH00016: Configuration Failed
c) If you see this log entry, complete the following steps:
1) Change your working directory to the location of openssl.exe
Windows (CMD) – cd C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
3) Compare the resulting values output after running each of the preceding commands. Each resulting string should be identical. If the values do not match, confer with the certificate authority that issued the certificate.
HTTP to HTTPS redirect implementation is broken and always supplies and internal IP address for the redirect, leading to any and all redirect from outside of the local network to fail.
Product
exacqVision Web Server 22.03
Steps to Reproduce
Configure HTTPS on the web service, either external or ACME
In this example using Letsencrypt SSL certificates. The webservice is behind HAProxy and was not been able to successfully configure HAProxy to update Letsencrypt certificates over HTTP. Therefore, I manually updated the certificate. /etc/webservice/tls/server.crt _> /etc/letsencrypt/live/site.com/cert.pem
After updating the certificates, I linked the original to the new certificates in the Letencrypt folder: When I try to connect to the webservice, I get this error message sent an invalid response. ERR_SSL_PROTOCOL_ERROR’.
The destination of his symlink, not the symlink itself, needs to be readable by the nvrweb user. In this example the directory that the symlink did not have permissions to allow the link to work correctly.
The best way to be sure would be to run terminal command sudo -i to root and then run su nvrweb -s /bin/bash and try to view the files (e.g., cat the paths listed in the config file). This should give you an out put.
We also need to make sure nvrweb can read the cert files /etc/webservice/tls/server.crt and .key The output will show the certs.
nvrweb@sunstone:/root$ cd /etc/webservice nvrweb@sunstone:/etc/webservice$ cat tls/server.crt —–BEGIN CERTIFICATE—– Contents of cert will be displayed here. —–END CERTIFICATE—–
nvrweb@sunstone:/etc/webservice$ cat tls/server.key —–BEGIN PRIVATE KEY—– Contents of Cert will be displayed here —–END PRIVATE KEY—–
These certs were in the TLS directory and being linked to the Letsencrypt folder, which we found having permissions issues.
To check try the following: Try the same thing with su to nvrweb and see if nvrweb can access the certs in the let’s encrypt folder, before changes WS config. Important to note that it’s not just the permissions of the target file that matter, but all the directories in between. In this case the target file was fine but the directory was LetsEncrypt and that did not have permissions. Since we were pointing the link to another file, that file needs to be accessible to nvrweb.
ls -ld for each directory – /etc/letsencrypt, /etc/letsencrypt/live, /etc/letsencrypt/site.com
Without -d it will show the contents, if you want to look at the directory like /etc/letsencrypt it’s necessary to do ls -ld /etc/letsencrypt
The site.com directory is fine. We need to check the live or letsencrypt directories. letsencrypt live directory’s permissions are rwx—- which means only root can enter or read the directory.
In the above photo we can see that the Permission is denied for the letsencrypt/live folder.
Configuration this way in not the normal process and it is possible the next time I run letsencrypt again to update certs it might error due to perms or reset them. The process might need to be done each time.
exacqVision supports connecting to many cameras using HTTPS. Depending on the camera firmware capabilities and the device type plugin used in exacqVision the level of encryption provided may vary.
Using the IP Camera Integration Database, you may choose to filter the displayed results by devices which support SSL (HTTPS).
<br>
Connecting with HTTPS
When adding a new camera to an exacqVision Server or editing an existing camera connection, the IP Camera Information section on the Add IP Cameras page provides a Protocol drop-down menu. The following options are available:
HTTP
HTTPS If Available
HTTPS Required
Selecting ‘HTTPS If Available‘ does not permit customizing the Port number field. This option will attempt to connect to the camera using HTTPS on port 443. If this attempt fails it will fall back to attempt connection with HTTP on port 80. This may add a small delay to the initial connection as it tests HTTPS first.
Selecting ‘HTTPS Required‘ will only permit connection to the device using HTTPS. If the device cannot accept such a connection the device will fail to connect. You are permitted to change the Port number field should your camera be configured to provide HTTPS over a custom port number.
<br>
HTTPS Connection Symbols
The IP Camera List on the Add IP Cameras page as well as the Camera Recording page provide symbols in the Protocol column allowing you to quickly view which devices are connected with HTTPS and to what level.
An empty field in the Protocol column indicates an HTTP connection.
The gear icon denotes that the connection is made to the device with HTTPS, which encrypts the login credentials to the device, the camera web interface in the Client’s web panels, and CGI commands made to the camera.
A padlock icon in the Protocol column indicates that the HTTPS connection encrypts the credentials, web page, and CGI commands, but also includes encryption of the video stream.
NOTE: HTTPS between the exacqVision software and camera encrypts only the communications between those two devices.
<br>
Enabling HTTPS on Your Camera
Cameras will vary from manufacturer to manufacturer as well as between versions of firmware. Legacy firmware on some devices may require you to apply your own certificate. Many IP cameras today provide HTTPS support out-of-box using self-signed certificates. Below, we examine the settings on an Illustra IQ camera. For other devices, please refer to your device’s documentation.
NOTE: When accessing a camera through the web browser interface using HTTPS, your browser may warn you or prompt you for permission to continue due to having a self-signed certificate. A self-signed certificate can be used to encrypt communication but cannot provide certificate validation. Certificate validation requires the certificate be issued by a Certificate Authority (CA).
Some devices may require you to generate a new self-signed certificate if you have changed the IP address since the last certificate was created.
<br>
Illustra IQ Cameras
Illustra IQ devices provide self-signed certificates out-of-box. When entering the Setup mode of an Illustra IQ camera expand the Security menu, then navigate to the HTTP/HTTPS page, as shown.
This page allows you to configure the port number used. Using the Upload button will allow you to upload your own certificate from a trusted Certificate Authority rather than using the camera’s self-signed certificate.
If you decide to use a certificate from a Certificate Authority you must provide them with a Certificate Signing Request (CSR) from the camera. Each camera requires its own, unique certificate from your CA.
NOTE: Do not use wildcard certificates for this purpose.
To generate a CSR file to provide to your CA, navigate to the Generate CSR page, also found under the Security menu. Complete the form on the left as required for your site and needs, then click Apply. The field to the right will populate. You will copy the data from this field into a new text file, but save it as a .CSR file. If you accidentally save the file as .txt, simply replace the .txt file extension with .csr. Provide this file to your CA.
Click on the ‘Configuration’ link in the left hand navigation bar. This will expand with more options.
Click on the ‘HTTPS’ link.
Click on the ‘Configure’ button. If you already have an SSL certificate and private key (e.g. purchased from DigiCert, Thawte, GoDaddy, etc) choose External. Select “Let’s Encrypt / ACME” to provision a certificate and private key automatically. NOTE: There are prerequisites that have to be met to use this option.
Follow the instructions for the chosen configuration below
NOTE: Both the certificate and private key must be PEM encoded. The private key should be in RSA format.
Click on the File button next to the Certificate input and select the certificate to upload.
Click on the File button next to the Private Key and select the corresponding private key to upload.
(Optional) If you were given a certificate chain from your certificate provider click the File button next to the Certificate Chain input and select the chain certificate to upload.
Click Apply to upload the files.
Follow the prompts to restart the Web Service for the changes to take effect.
(Optional) Modify the External URL of your Web Service to use HTTPS.
This option is found under Configuration | Basic
NOTE: If you do not see any File buttons then you are using an older browser. Instead paste the contents of each file into the large text boxes provided.
<br>
Configuring HTTPS using Let’s Encrypt / ACME Server
Please check that the following prerequisites are met before proceeding.
A. Your Web Service is configured and running on the standard port (80) B. Your Web Service is accessible over the internet at the domain name(s) you wish to provision a certificate for.
In the input under Domain Name enter the domain name you wish to provision a certificate for.
(Optional) If you have any Subject Alternative Names to add to the certificate enter them into the input under Subject Alternative Name(s)
Click Apply
A dialog should popup with the status of your request. Provisioning a certificate may take a few minutes, please be patient.
If a certificate was issued successfully follow the prompts to restart the Web Service for the changes to take effect.
If an error is encountered attempt to solve the underlying issue before retrying. The production Let’s Encrypt service will rate limit you if you attempt too many times in a row. See https://letsencrypt.org/docs/rate-limits/ for more information.
(Optional) Modify the ExternalURL of your Web Service to use HTTPS.
This option is found under Configuration | Basic
<br>
Version 8.2 and Lower
Follow the instructions to manually configure HTTPS support in the Web Service.
