Implementing SSL

View Categories

This guide will focus on implementing SSL for your Xojo standalone Web Edition applications on CentOS 7. Some of the commands may operate on other Operating Systems, but those will not be covered here. This will, regardless of Linux flavor, give you a general idea of what you need to do in order to secure communications with your Xojo-built web application via HTTPS.

What You Need #

  • A Xojo Web Edition project to secure
  • Domain Name for your application
  • A working Xojo standalone Web Edition application

Optional Materials #

Lifeboat (Alternative method) #

For an all-in-one Xojo Web application management application that makes all of this (and so much more) super simple, you should check out Lifeboat.

Webmin (Supplementary tool) #

Webmin is a very nice package for server management that will make many of the operations detailed below a lot simpler, such as setting up a startup service for your app and setting up the renewal cron job. Be advised, though, that it does have a decent sized memory footprint and won’t do well on Virtual Private Servers with very little resources.

Xojo Instructions #

The key to making all of this work for your standalone application while debugging is in the build settings. We have to provide a few additional command-line parameters for Xojo. These parameters will tell the binary to listen on the SSL port, and use the certificate file we’ll be generating later.

  • In the Xojo Project Navigator, select “Shared” under “Build Settings”
  • In the Inspector on the right, you will now see “Command Line Arguments” in the “Debug” section
  • In the “Command Line Arguments” field, enter –secureport=<HTTPSPORT> –maxsecuresockets=<#SOCKETS>, replacing <HTTPSPORT> and <#SOCKETS> with values appropriate for your server. Also note that, in the above, is actually two dashes.

Server Instructions #

Before continuing, make sure your application runs on the server and setup a startup service for your application.

Installing Certbot #

Fill out the form on this page to get system-specific instructions for installing certbot. Select “Other” in the “Software” popupmenu.

Getting a Certificate #

To register and retrieve the certificate for our purposes, we use the standalone method:

certbot certonly --standalone -d <YOURDOMAIN> --email <YOUREMAIL> --agree-tos

Assuming this has completed successfully, the necessary certificate files will be placed in /etc/letsencrypt/live/<YOURDOMAIN>/

Building the CRT File #

Xojo Web Edition applications require a specific setup for your certificate. Assuming, in your Xojo Build Settings for Linux, that you’ve set your Linux App Name to “myApp”, you’ll be combining the fullchain.pem and privkey.pem files from your /etc/letsencrypt/live/<YOURDOMAIN>/ directory in to a single file named “myApp.crt”. You can do this manually and transfer the file via SSH or FTP, or you can use the Linux cat command. In this example, we’ll assume you want to use the Linux cat command.

The following command will properly concatenate the two files, and place the result in your web application’s directory as specified by <PATHTOAPP>:

cat /etc/letsencrypt/live/<YOURDOMAIN>/fullchain.pem /etc/letsencrypt/live/<YOURDOMAIN>/privkey.pem > /<PATHTOAPP>/<APPNAME>.crt

Now you can start your Xojo Web Edition application, and it should be running in HTTPS mode on the port previously specified with a valid LetsEncrypt certificate.

Renewals #

Your spiffy new LetsEncrypt certificate will expire every three months, meaning every three months (at least) you need to renew it. This can be done manually by using the following SSH commands:

certbot renew
cat /etc/letsencrypt/live/<APPDOMAIN>/fullchain.pem /etc/letsencrypt/live/<APPDOMAIN>/privkey.pem > /<PATHTOAPP>/<APPNAME>.crt

Or you can automate it with a cron job, which is the recommended method. It’s simple enough to find instructions for cron automation, so we’ll just cover the commands that your job needs to execute in a generic systemd OS:

systemctl stop <APPSERVICENAME>
certbot renew
cat /etc/letsencrypt/live/<APPDOMAIN>/fullchain.pem /etc/letsencrypt/live/<APPDOMAIN>/privkey.pem > /<PATHTOAPP>/<APPNAME>.crt
systemctl start <APPSERVICENAME>