4 Replies Latest reply on Oct 13, 2016 6:29 PM by jlangan

    Pi Web API + Let's encrypt


      Let's encrypt might not be very popular yet in the proprietary world, but seems promising nevertheless on lowering management cost. So I was wondering, has anyone succeed in making Let's encrypt work with Pi Web API ? If not, is this a feature we can hope to see in a near future ? It seems to be already working with IIS but I haven't found any discussion or documentation about this for PI Web API.


      Thanks !

        • Re: Pi Web API + Let's encrypt

          Hello Mikael,


          This looks interesting indeed, this seems to be a free alternative of getting a certificate from a trusted source like VeriSign or Thawate. 

          PI Web API is self-hosted, so I am not sure if Let's encrypt event supports this scenario...


          Could you provide some lines to explain why you are considering Let's encrypt comparing to using a certificate from a trusted source?

          I believe Raymond Verhoeff  will be able to comment on this, as the PI Web API product is well known to him .


          Hope this helps,

            • Re: Pi Web API + Let's encrypt

              Let's Encrypt is on our list of technologies to try but we have not done it yet. The documentation on the website leans heavily towards Linux systems but I did find that someone has built a Windows client for it. Open source, of course. It should not matter that the PI Web API is self-hosted. Any certificate obtained is stored in the Windows Certificate Store. I did once try to register my development machine with Let's Encrypt through the website and it did not work. At some point in the registration, Let's Encrypt needs to check your server and to confirm that you own your domain. That suggests that your PI Web API server must be publically accessible.


              Let's Encrypt has lined up some very significant sponsors so I expect its use will grow. There is another free certificate site called SSL for Free but it uses Let's Encrypt components.


              If you test it before we do, please post your findings!


              Edit 2016-10-14 (pthivierge):

              Seem that our colleague Joey Langan had success to make this work. It is not a native integration of course but may be a way to make it work:

              see his reply below in the discussion.

              4 of 4 people found this helpful
              • Re: Pi Web API + Let's encrypt
                Bryan Owen

                In a minor clarification, Lets Encrypt is a trustworthy certificate authority.


                As Ray mentions the level of trust is based on executing a domain validation proof handshake.  The free agent from LE (and demo code) can do the proof and generate a valid SSL certificate - provided the distinguished name is registered and reachable from the authority.  We agree this would likely be ok for most external facing PI Web API use cases.   Note: some names are black listed such as default machines in AWS and Azure (that limitation may be relaxed in the future).


                Since Let's Encrypt is providing significant value to the internet in general we are optimistic about finding ways to parlay success for public facing use cases for PI data.  Let's Encrypt certificates are short lived by design and thus demand some level of automation/integration.  As such, OSIsoft partners and the PI Square community might well be the right place to explore viable solutions. 

                4 of 4 people found this helpful
              • Re: Pi Web API + Let's encrypt

                It does work.  I've got my Coresight and Web API on the same server, so I am able to use the IIS for Coresight to serve up a file that LE uses to verify.  Otherwise, I would guess you'd be able to simply install IIS (without Coresight) and this should work.


                Steps (these are from my memory):

                1. download a client (I used GitHub - Lone-Coder/letsencrypt-win-simple: A Simple ACME Client for Windows )

                2. unzip, it includes a web_config.xml.  Copy it/rename it to web.config in your IIS root directory

                3. bind IIS to the external host name (www.whateverthenameis.com) on port 443 (for all IP addresses)

                4. run the program.  It did not find my binding, so picked option M - to manually enter the www.whateverthenameis.com and the IIS root (e.g. C:\inetpub\wwwroot)

                5. it did not appear to change the SSL, so I had to manually changes the certificate (go back into Bindings, edit the 443 one with your host name and select the LE certificate)



                My web api server is now trusted by the browser





                Initial Thoughts / Caveats:

                • I needed port 80 open on through my firewall to my (IIS/Coresight/WebAPI) server - I can close this, but then I won't be able to auto-renew the certificate easily (I might be able to do a powershell script to open the port, renew, and then close the port).   I typically use OpenVPN as a way to not access my systems without having to have any ports open.  I will probably look at putting this on a separate VLAN that is locked down to everything else if I keep port 80 open.
                • Certificates expire every 90 days (if not renewed) - my guess is that the auto-renew may not work since it wasn't able to auto bind the new cert - so that will be on me to renew and bind
                • Requires IIS (not a big deal if you already have Coresight on the same server).
                • Bonus - worked on Coresight too
                3 of 3 people found this helpful