Let's Encrypt (LE) is a Certificate Authority (CA) offering free SSL certificates. The certificates are signed by LE as a CA. This means browser will accept it as a trusted authority as long as you are using Wildcat! V7.0 or better. The certificates will expire in 90 days at which point you have to repeat process below to get a new certificate.
The following instructions will help you obtain a SSL certification from Let's Encrypt using the ZeroSSL.com online wizard and tool.
If you using Wildcat! V8.0.454.9, you may skip step 1
This step is not needed if your web site domain is a PUBLIC Web Site. Meaning,under Virtual Domains, you have the web site domain set as:
[X] Web Root Is Public
If you don't, which is the normal case for WcWeb, then you need this Alias Redirection:
Start WCCONFIG | Web Server | Redirection | click ADD
Alias: .well-known URL: /public/.well-known/
Click OK. WcWEB should read it automatically, but just in case, restart WcOnline.
This will come into play when ZeroSSL wants to verify your domain. You can also use a DNS method if you have access to your DNS manager to create TXT records. For now, use this HTTP method with the ".well-known" alias.
Start WCCONFIG | SSL Options. For the Web server,
[_] Use Default [X] Enable SSL
If you have the following set:
[X] Required for all Connections,
[X] Enable HTTP Redirection
temporarily disable this SSL requirement until you are finished, then you can set it back.
Click Set PCI Compliance. This will give you the modern SSL Encryption strength settings.
Note: Wildcat! V8+ uses the latest OpenSSL v1.1+ API which offers higher encryption strength providing A or A+ security rating with SSL Labs. Wildcat! v7.0 and below uses OpenSSL v1.0 which will be EOL (End of Life) by the end of the 2019 year.
Click Server Certificate Wizard and select the first option:
(o) Create new certificate request .....
Click Next to Create Private Key, fill in the form.
example Friendly Name: "Web Server Certificate (LE)"
Use the defaults for [X] DES3 and Bit Length: 2048 and enter a password.
Click Next and fill in the Certificate Request Information The most important field is the Common Name field. This is the domain you want for your HTTPS site. It is the domain that must match the domain inside the certificate signed by the CA.
Click Next and then click the Create button.
This will create the CSR (Certificate Signing Request) block of information. Right click it to copy into your clipboard, copy/paste buffer. The CSR is needed in step 3.
Click Finish, Click Save Now. You can keep WCSSLCONFIG running because we are coming back to it.
Click Certificate and Tools
Click the Free SSL Certificate Wizard Start button.
This wizard is a three part wizard process:
You will see a right side box saying "Paste your CSR..."
Put your mouse in this box, right click and paste the CSR you generated in step 2.
Check the two Accept options:
[x] Accept ZeroSSL TOS [x] Accept Let's Encrypt RA (pdf)
There is the Verification radio option:
(o) HTTP Verification (_) DNS Verification
Since WcWEB is prepared for the HTTP method, keep the HTTP option and click NEXT
Note: There might be situations where you might need to use the DNS Verification because the HTTP method may not be possible.. For some people, this might be an easier method. But it may delay the verification process until the a temporary DNS record is created and propagates through the network.
A challenge file is randomly created by ZeroSSL for you to download. This is where the ".well-known" alias we did in step 1 comes into play. You now need to create this folder at your Wildcat! web site:
md http\public\.well-known\acme-challenge
and download/copy/place the challenge file into this folder.
Click NEXT and the Wizard will try to verify it by issuing an URL to:
http://youdomain/.well-known/acme-challenge/funky-filename
Make sure wcWEB is running, and step 1 above was done. With the Alias Redirection, wcWEB wll satisfy this request and verification is complete.
If you get an error, it is because some step was not done right. Check for typos. Click Next again. It may ask to download another challenge file. Continue until it succeeds!
When successful, it will give you the CA Signed Cerificate!!! Copy it into the copy/paste clipboard.
You are done now with ZeroSSL.COM.
In WCSSLCONFIG, go into the Server Certificate Wizard and select
(o) Add a signed certificate to a pending request
Click Next and it will display the Stores, select the Store you created before, i.e. "Web Server Certificate (LE)"
It will display a form to install the signed certificate by file or by pasting it in. In the bottom box, paste the Signed CA certificate you copied in step 3.
Click Finish and it should say "SUCCESS"
At this point, save and close wcSSLCONFIG and restart Wconline and read the wcssl*.log file to make sure it says Successful Certificate.
20190912 10:57:07 Loading WCSSL for application: wchttps.dll 20190912 10:57:07 WCSSL Loaded Successfully. 20190912 10:57:07 Creating SSL Context for HTTP Server 20190912 10:57:07 (HTTP) SSLEAY_VERSION: OpenSSL 1.1.1c-dev xx XXX xxxx 20190912 10:57:07 (HTTP) WCSSL VERSION : v8.0.454.9 20190912 10:57:07 (HTTP) protocol: 16 (TLSv12) 20190912 10:57:07 (HTTP) cipher: ..... long line 20190912 10:57:07 (HTTP) HonorOrder: YES 20190912 10:57:07 (HTTP) * SSL options (96530854): 20190912 10:57:07 (HTTP) * SSL cache options (00000003): 20190912 10:57:07 (HTTP) ssl_context_init: CA Certificates: 140 20190912 10:57:07 (HTTP) ssl_context_init: client verify: NONE (0) 20190912 10:57:07 (HTTP) ssl_context_init: set_client_CA_list(wc:\ssl\cacert\ca-bundle.txt) 20190912 10:57:07 (HTTP) ssl_context_init: Acceptable Certificate!