Qlik Community

Ask a Question

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
Support Cases coming to Qlik Community Oct. 4! Start chats, open cases, explore resources. Prep for the big move: READ DETAILS

Automated SSL generator using Let's Encrypt

schernov
Creator
Creator

Automated SSL generator using Let's Encrypt

Hi,

Pls add auto generation HTTPS-cerificate while install Qlik Sense Server using https://letsencrypt.org/

Or made option to select : self-signed(windows) , letsencrypt or corporation certificate.

Let's Encrypt is free and open source certificate tool for HTTPS protocol

 

I Think this addition can help to resolve many problems with ssl.

7 Comments
holboxgroup
Contributor
Contributor

yes, i want this too. Generating and maintaining a Letsencrypt certificate is not hard with IIS, however there is no has renewal (thumbprint) within Qliksense.

AndreaR
Partner
Partner

It would be so useful!

Upvote! 😊

davidgasperoni
Contributor
Contributor

FWIW, you can use win-acme  to obtain a certificate and setup automatic renewal... the problem I have is that changing the thumbprint for the proxy node requires copying it by hand and pasting it in the QMC. Does anyone one of a way to perform such a change via command-line or programmatically?

mountaindude
Luminary Alumni
Luminary Alumni

If you are ok with using a reverse proxy such as Traefik in front of Qlik Sense, you can use Traefik to automatically manage the TLS certs for you.

Works really, really well and as a bonus you get observability of the traffic going to Sense. This means things like http/network level stats on how many and what requests are sent to Sense, how many return http errors, response times etc. 

The whole processes for setting up TLS certs with step-by-step instructions is described in the blog post Superpowers to Qlik Sense Enterprise, part 2: Free https certificates from Let’s Encrypt.

 

Disclaimer: I am the author of that blog post and the LinkedIn post. 

davidgasperoni
Contributor
Contributor

Thank you for your response! Though, I think I managed to set up automatic renewal from Let's Encrypt and automated certificate thumbprint update with ahaydon/Qlik-Cli-Windows.

Basically, in the win-acme configuration, I added an extra step after renewal, using `powershell.exe` as script, and as parameter `Update-QlikProxy -id [my-proxy-id] -SslBrowserCertificateThumbprint {CertThumbprint}`. This seems to do the trick!

mathiassen
Partner
Partner

Hi Guys. 
I've tried for a couple of days now - to get the certificate from Letsencrypt. 
But it'll look like It will not update the certificate. 
I've using win-acme and was getting a valid certificate - placed in Personal folder- But even after inserting the thumbprint - it'll still only shows the local selfsifned certificate - when access Qlik ! 

So basicly I have a Valid Certificate from lets encrypt - But even following the different guide and powershell script - it'll still only shows the local selfsigned certificate from the Qlik Installation

What am I missing h

ere - since the problem remains the same! 

Thanks in advance !

davidgasperoni
Contributor
Contributor

Hey @mathiassen ,

Getting the certificate was the hard part in my experience! So I guess you're doing well already! 😁

When I run wacs.exe and choose "Manage renewals" and then "Show details for the renewal", among other stuff this is what it is showing me:

I blurred the id, not that it really is sensitive... but still!I blurred the id, not that it really is sensitive... but still! 

Did you try running that command on it's own? Does it do anything? Actually one more step back: if you manually update the Thumbprint from the QMC, does it work? Does it pickup the certificate and allows for proper browsing of Qlik without security notices?

If yes, then the next step is automation: to recap, you need to install ahaydon/Qlik-Cli-Windows in PowerShell first. Then try to update the Thumbprint with the command that I captured above, making sure you use your correct proxy id. To manually test is enough to launch PowerShell and just type "Update-QlikProxy etc etc...", but when configuring wacs.exe, the "script" to use is the PowerShell executable and everything else is parameters.

I hope this helps!