This article guides you through the setup for a simple HTTPS server using Let’s Encrypt certificates.
Download the project source
The example project is included in the Daraja demo folder at https://github.com/michaelJustin/daraja-framework/tree/master/demo/https. You may use the project IndyHttpsTest with Delphi 6 or later, or with the Lazarus IDE. This stand-alone project only requires the Indy library, it does not depend on the Daraja HTTP framework.
Three lines in the project specifiy the domain certificate, the domain certificate key and the intermediate certificate:
... IOHandler := TIdServerIOHandlerSSLOpenSSL.Create; IOHandler.SSLOptions.CertFile := 'cert.pem'; // domain certificate IOHandler.SSLOptions.KeyFile := 'key.pem'; // domain key IOHandler.SSLOptions.RootCertFile := 'cacert.pem'; // intermediate certificate IOHandler.SSLOptions.Mode := sslmServer; ...
Install the OpenSSL DLLs
The OpenSSL libraries can be downloaded from https://indy.fulgan.com/SSL/ (note that there are different versions for 32 and 64 bit applications). Extract the archive and copy the DLLs to the daraja-framework\demo\https folder.
Let’s Encrypt uses an intermediate certificate which is available for download at https://letsencrypt.org/certificates/ –
From the Intermediate Certificates section, download the active intermediate certificate, copy it to the daraja-framework\demo\https folder, and rename it to cacert.pem
Server certificate and key
Now you need your server certificate and key files. An easy way to do this is the free ‘SSL Certificate Wizard‘ at https://zerossl.com/ – this service allows to create Let’s Encrypt certificates for your web domain.
Before you can download server certificate and key, the ZeroSSL certificate wizard must verify that the domain is under your control. Verification options are HTTP or DNS based. To verify domain ownership using HTTP verification, you will need to create appropriate files with specific text strings under your “<webroot>/.well-known/acme-challenge/” directory. Only after ZeroSSL checked these files, your certificate will be issued.
Finally, you need to download the files domain-crt.txt and domain-key.txt from the last page of the SSL Certificate Wizard.
Copy the files domain-crt.txt and domain-key.txt to the project daraja-framework\demo\https folder with the names cert.pem and key.pem
Ready to launch
Verify the certificate chain
You may inspect the certificate properties in Windows if you copy or rename domain-crt.txt to domain.crt and double-click to open it. The certificate information window willl show the certificate properties (validity period etc.) and the certification chain:
Compile and start the IndyHttpsTest project in the folder daraja-framework\demo\https. The program will launch your default web browser and navigate to https://127.0.0.1. As the certificate is not issued for 127.0.0.1, the browser will display a security warning which displays the name mismatch.
Only if the server runs on the web server which the certificate has been issued for, browsers will accept the certificate without warnings.
Please understand that this how to guide is only meant to be a short introduction into SSL/TLS certificate usage and you should always be aware of potential security risks.