How to apply for SSL certificate

fhutt

I am trying to create a simple website for just family use. The Abyss server X1 appears to do the job. However, I would like to secure the site a little by the use of HTTPS.
I have followed to instructions via the website to obtain a free certificate completing the forms.
The only fields I had problems with was in the Generate Signing request form, the Organization Name and Organization Unit Name. I didn't know what to enter so entered 'None'.
Otherwise, it was all accepted but nothing appears to happen.
Is there anything else I should be doing to gain a certificate from Let's Encrypt?
Thanks

admin

fhutt,
It seems that you have tried using the instructions to get a self-signed certificate.
It is better to use the other alternative of the free Let's Encrypt issued certificates as explained here :
https://aprelium.com/abyssws/articles/using-acme-cert.html

fhutt

Yes, those were the instructions I tried to follow. I was successful obtaining a self signed certificate and the website works on HTTPS.
But the fields mentioned are common and I am not sure how complete them.Never the less I left it as 'None'. I am not happy with the remote browser getting a security warning so tried to get a certificate from Let's Secure. I completed the forms again and this time the system started to work and a request was submitted.
Unfortunately, I received and error saying that my problem is probably due the firewall. However, I get a firewall error with the HTTP web server or with the HTTPS web server. The error report also mentions the file that is being accessed. The file that is failing is http://'MyURL'/.well-known/acme-challenge/50rXamuXPvP4fjDtNJ_q5Uoy1nP7ldlBk55t1jMM9Mg
This file does not exist on my website therefore, I think, this is the reason the file cannot be accessed. Unfortunately, I sent the request too many times and I am now locked out until next week before I can try again.
Any ideas?

pkSML

Abyss creates this temporary file for Let's Encrypt and most likely deletes it. You won't expect to see it later on your file system.
Before you submit a request using Abyss for a certificate, you need to make sure your site is accessible by hostname on the internet. Testing from your internal network can always lead to false results.
How can you make sure your site is publicly accessible?
You can go to an HTML validator or a website speed test. For example, you can go to https://validator.w3.org/
Enter your web address (not just an IP address, but yoursite.com).
If they can't access your site, then neither will Let's Encrypt.
I'm a little confused reading what your wrote, so I'm not sure if you've made it past this step, but give it a try and let us know the results. Then we'll work from there.

fhutt

You are right. I cannot reach the website now with your link. In the past I checked the website before using my phone with data via my provider and worked fine, but not now.
It was fine yesterday. Something must have happened.
I notice that I am unable to start the server. After pressing the start button, it waits a little and comes back with the start button active instead of stop.
I notice that next to the button is shows my URL and 'error'. When pressing the error link I am transferred to a new page showing the error as:
The system cannot find the file specified. (Scripting Parameters :: Edit - CGI Parameters)
I click on the Scripting Parameters link and is shown another page showing the location of the cgi.log file. I found that file but it is empty.
I am really stuck now.
Edit: Found the problem. Last night I changed the Server Root. I thought this was my website. But no - this is path to the server software (Abyss). Changed it to the Abyss path and now the server may start.
There are errors appear to show my index file as expected on Firefox, Chrome and IE11.

fhutt

I don't know what I did to the settings but the server has stopped working. It shows running but does not serve any pages just it's internal 404 page.
I went over all my settings and couldn't find the problem. I decided to uninstall and install again fresh. It went fine and works now on HTTP, HTTPS (Self Certified) and HTTP+HTTPS.
Now I tried to initiate an Acme-Bot request for a certificate from Let's Encrypt. I followed the instructions, pressed OK each time. Switched to HTTP only to ensure that the site is accessible. But looking at the Acme-Bot status it shows not active.
How do I get the server to initiate the request?

pkSML

I plan on making a video tutorial about this soon. But until then, I'd suggest following Aprelium's solution at https://aprelium.com/data/doc/2/abyssws-win-doc-html/ssl.html#CERTIFICATES-ACME.
Did you realize you have to create an account with Let's Encrypt (done in Abyss' console) before you can ask for an SSL certificate?
Once you've done that, set up your site with just HTTP.
When converting to HTTP+HTTPS, did you select this option?

After clicking OK and restarting Abyss, it will start and the host will say that it is acquiring an HTTPS certificate. It takes about 30 seconds or less. You can click the link it displays for more information (the ACME status page at ServerIP:9999/certificates/acmebot/edit ).
If you're still having trouble, let us know what the ACME-Bot Status page has to say.

fhutt

In the past few days I did not enter 'From Acme account' when setting HTTP+HTTPS because I thought that since there is no certificate, how can it work. Obviously by your instruction, this is how the request is started.
OK - I have the HTTP automatically routed to HTTPS as you showed how to do in a different post.
I is correct that I have to break that since Let't Encrypt would not be able to connect (HTTPS is not working yet without the certificate)?

fhutt

I have removed the automatic HTTP redirection to HTTPS, selected the HTTP+HTTPS as suggested and accepted it all.
The signing request was then initiated. However, now about an hour later the Acme-Bot status still shows "ACME account processing queued".
Is this normal - if so, how long does it usually take to receive the certificate?
EDIT: The Acme-Bot status also states that "Order for 'MyURL' (due by 19/Sep/2019:13:06:34 +1000). Does this mean that it might take 3 months?
Do I need to keep my PC on 24/7 till then?

pkSML

No. Actually you should be good to go. The order processing being queued is for renewal of your current certificate (which must occur every three months, per Let's Encrypt).
Try to access your site with HTTPS. It should work!
If so, they you can re-institute your HTTP --> HTTPS rule(s).

fhutt

Yes, you are of course right again.
I did try it but the page took longer so I thought it was being rejected. Also the Certificate Store is empty, so I thought that the system is still waiting. I thought that a new entry would automatically be created. Obviously not.
Looking at the certificate on resolved web page security page, I notice that it states that the Connection Encrypted (AES-GCM, 128bit, TSL 1.2). It is showing only a 128bit key. On other websites (like Aprelium) it shows 256bit key. I thought it would be 256bit on the Let's Encrypt certificate also. Is it something I did wrong (again)?
Where could I look at the certificate on the Abyss Web Server Console?

pkSML

fhutt wrote
Yes, you are of course right again.
I did try it but the page took longer so I thought it was being rejected. Also the Certificate Store is empty, so I thought that the system is still waiting. I thought that a new entry would automatically be created. Obviously not.
Looking at the certificate on resolved web page security page, I notice that it states that the Connection Encrypted (AES-GCM, 128bit, TSL 1.2). It is showing only a 128bit key. On other websites (like Aprelium) it shows 256bit key. I thought it would be 256bit on the Let's Encrypt certificate also. Is it something I did wrong (again)?
Where could I look at the certificate on the Abyss Web Server Console?

SSL/TLS is confusing. The AES-128-GCM is a cipher. It has nothing to do with the TLS key or Let's Encrypt. It has everything to do with setting up secure communication between the server and browser. You can customize allowable ciphers in Abyss, but it'd be best to have a strong understanding of what you're doing first.
Do note that Google Chrome considers AES-128-GCM 'a strong cipher', so I don't have a problem with it.
When you tighten up your allowed ciphers, you risk disallowing some users to view your site (especially if you force HTTP --> HTTPS).
Check out your HTTPS website at https://www.ssllabs.com/ssltest/. It will tell you which devices will not be able to access your HTTPS site. You can enter aprelium.com on that site also to compare with your settings.
To adjust your cipher settings:

Click on your host in the Abyss console.
Click 'Edit' to the right of 'Advanced Parameters'.
Click 'Edit' to the right of 'SSL/TLS Parameters'.
Under 'SSL/TLS Profile', you can select 'Modern' or 'Custom'.
If you selected 'Custom', you can now change your ciphers to 'Strong' or 'Custom'. (I'm going to guess Aprelium just changed theirs to 'Strong'.)

You can gather some information at https://aprelium.com/data/doc/2/abyssws-win-doc-html/hosts-configuration.html#HOSTS-GENERAL-ADVANCED-SECURELAYER.

fhutt

I feel better about it now.
I checked my website and Aprilium.com also on your link. The report is quite long and I won't pretend I understand it all. But I do see the browser that are more compatible. I don't see a lot of difference between my website and Aprilium.com. I am assuming this is good.
I did find the settings you mention. I will leave it as is until I have more experience with this.
At least I understand the ramifications of changing it.

pkSML

fhutt wrote
I feel better about it now.
I checked my website and Aprilium.com also on your link. The report is quite long and I won't pretend I understand it all. But I do see the browser that are more compatible. I don't see a lot of difference between my website and Aprilium.com. I am assuming this is good.
I did find the settings you mention. I will leave it as is until I have more experience with this.
At least I understand the ramifications of changing it.

I don't pretend to understand it all either :) Cryptography isn't intended to be simple!
I stumbled upon this webpage, which also says AES-128-GCM is an acceptable cipher. If it were AES-128-CBC, it would be weak and vulnerable to certain well-crafted attacks.