How to: Let’s Encrypt certificates with Indy HTTP Server

This article guides you through the setup for a simple HTTPS server using Let’s Encrypt certificates.

Download the project source

The example project is included in the Daraja demo folder at https://github.com/michaelJustin/daraja-framework/tree/master/demo/https. You may use the project IndyHttpsTest with Delphi 6 or later, or with the Lazarus IDE. This stand-alone project only requires the Indy library, it does not depend on the Daraja HTTP framework.
Three lines in the project specifiy the domain certificate, the domain certificate key and the intermediate certificate:

...

IOHandler := TIdServerIOHandlerSSLOpenSSL.Create;
IOHandler.SSLOptions.CertFile := 'cert.pem';  // domain certificate
IOHandler.SSLOptions.KeyFile := 'key.pem';  // domain key
IOHandler.SSLOptions.RootCertFile := 'cacert.pem'; // intermediate certificate
IOHandler.SSLOptions.Mode := sslmServer;

...

Install the OpenSSL DLLs

The OpenSSL libraries can be downloaded from https://github.com/IndySockets/OpenSSL-Binaries (note that there are different versions for 32 and 64 bit applications). Extract the archive and copy the DLLs to the daraja-framework\demo\https folder.

Intermediate certificate

Let’s Encrypt uses an intermediate certificate which is available for download at https://letsencrypt.org/certificates/ –

From the Intermediate Certificates section, download the active intermediate certificate, copy it to the daraja-framework\demo\https folder, and rename it to cacert.pem

Server certificate and key

Now you need your server certificate and key files. An easy way to do this is the free ‘SSL Certificate Wizard‘ at https://zerossl.com/ – this service allows to create Let’s Encrypt certificates for your web domain.

Domain verification

Before you can download server certificate and key, the ZeroSSL certificate wizard must verify that the domain is under your control. Verification options are HTTP or DNS based. To verify domain ownership using HTTP verification, you will need to create appropriate files with specific text strings under your “<webroot>/.well-known/acme-challenge/” directory. Only after ZeroSSL checked these files, your certificate will be issued.

Finally, you need to download the files domain-crt.txt and domain-key.txt from the last page of the SSL Certificate Wizard.

Certificate installation

Copy the files domain-crt.txt and domain-key.txt to the project daraja-framework\demo\https folder with the names cert.pem and key.pem

Ready to launch

Verify the certificate chain

You may inspect the certificate properties in Windows if you copy or rename domain-crt.txt to domain.crt and double-click to open it. The certificate information window willl show the certificate properties (validity period etc.) and the certification chain:

Local test

Compile and start the IndyHttpsTest project in the folder daraja-framework\demo\https. The program will launch your default web browser and navigate to https://127.0.0.1. As the certificate is not issued for 127.0.0.1, the browser will display a security warning which displays the name mismatch.

Only if the server runs on the web server which the certificate has been issued for, browsers will accept the certificate without warnings.

Disclaimer

Please understand that this how to guide is only meant to be a short introduction into SSL/TLS certificate usage and you should always be aware of potential security risks.