I've tried a couple of ways to start MobiLink with a certificate from LetsEncrypt, but so far with no success.

First I tried getting a certificate using this method:

.\wacs.exe --store centralssl --centralsslstore C:\CentralSSL\
which creates the certificate and stores it as C:\CentralSSL\mycertificate.pfx. Then I tried starting MobiLink with the -x option set to
-x HTTPS(host=172.254.35.101;port=443;identity=C:\CentralSSL\mycertificate.pfx)
However, mlsrv17 fails to start, and gives the error
SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x00000000

So I tried converting the .pfx file to a .crt file using openssl and changing the MobiLink -x option approriately, but still get a parsing error, this time:

SQLANYm_balanceML: <main> [-10117] Stream Error: Error parsing certificate file, error code 0x0d0680a8

Then I tried another way, to get and install the certificate using this method

.\wacs.exe --store certificatestore --certificatestore My
which creates the certificate in the Windows Certificate Store. However, I don't know how to tell MobiLink to use that version of the certificate. Is there a way to point the identity option to the Windows Certificate Store?

Has anyone ever tried this? Any advice?

EDIT: A bit more information - I discovered that the .crt file generated above contains Bag Attributes before the actual certificate. I removed them with the command openssl x509 -in mycertificate.crt -out mycertificate.crt and then MobiLink starts without complaint BUT the connections still fail, now with error code 8. I know it's not specifically a network problem since it all works fine with HTTP.

asked 31 May, 11:03

Terry%20Wilkinson's gravatar image

Terry Wilkinson
616212542
accept rate: 25%

edited 31 May, 13:12

However, I don't know how to tell MobiLink to use that version of the certificate. Is there a way to point the identity option to the Windows Certificate Store?

I don't know, either, but for secure web client procedures, you can specify "file=*" to access certificates from the OS store, as documented here. I don't know whether the same applies to MobiLink servers or SQL Anywhere web servers.

(31 May, 12:07) Volker Barth

Following that suggestion, I tried

identity=*

and got the error

SQLANYm_balanceML: <main> [-10117] Stream Error: Unable to open certificate file '*'

(31 May, 12:38) Terry Wilkinson

Can you describe what you mean by "use a certificate from LetsEncrypt" ?

LetsEncrypt is a Certificate Authority (CA). What is typically stored in the certificate store for a CA is the public certificate for that CA, which is used by clients connecting to a server, not the server itself.

Typically, you'll create a certificate request, which consists of a public and private portion. The private portion is password protected, and you typically don't let anyone else see that. You send the public portion of your certificate request to a CA, they sign it, then return the signed certificate request to you. This signed public certificate request along with the private portion of your certificate request make up your identity file, which is what you need to provide to the ML Server, along with the password for your private certificate. Now, any MobiLink Client that wants to connect to the ML Server can do so as long as they have the public certificate for the CA that signed your request.

I don't think exporting the LetsEncrypt certificate from the certificate store will get you a server-side certificate that you can use when starting the MobiLink Server.

Reg

permanent link

answered 31 May, 13:36

Reg%20Domaratzki's gravatar image

Reg Domaratzki
6.1k33792
accept rate: 38%

Thanks for your reply. I've been using LetsEncrypt for a number of years to create certificates for https with nginx under linux. Also, I have previously been able to use them with IIS under Windows. However, there is a new way to get them for Windows using the wacs program that I mentioned in the OP but it doesn't seem to be working for me. Have you used the new wacs program? Any help there would be appreciated.

(31 May, 15:56) Terry Wilkinson
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×327
×7

question asked: 31 May, 11:03

question was seen: 70 times

last updated: 31 May, 15:57