yes, i want this too. Generating and maintaining a Letsencrypt certificate is not hard with IIS, however there is no has renewal (thumbprint) within Qliksense.

It would be so useful!

Upvote! 😊

FWIW, you can use win-acme  to obtain a certificate and setup automatic renewal... the problem I have is that changing the thumbprint for the proxy node requires copying it by hand and pasting it in the QMC. Does anyone one of a way to perform such a change via command-line or programmatically?

If you are ok with using a reverse proxy such as Traefik in front of Qlik Sense, you can use Traefik to automatically manage the TLS certs for you.

Works really, really well and as a bonus you get observability of the traffic going to Sense. This means things like http/network level stats on how many and what requests are sent to Sense, how many return http errors, response times etc. 

The whole processes for setting up TLS certs with step-by-step instructions is described in the blog post Superpowers to Qlik Sense Enterprise, part 2: Free https certificates from Let’s Encrypt.

Disclaimer: I am the author of that blog post and the LinkedIn post. 

Thank you for your response! Though, I think I managed to set up automatic renewal from Let's Encrypt and automated certificate thumbprint update with ahaydon/Qlik-Cli-Windows.

Basically, in the win-acme configuration, I added an extra step after renewal, using `powershell.exe` as script, and as parameter `Update-QlikProxy -id [my-proxy-id] -SslBrowserCertificateThumbprint {CertThumbprint}`. This seems to do the trick!

Hi Guys. 
I've tried for a couple of days now - to get the certificate from Letsencrypt. 
But it'll look like It will not update the certificate. 
I've using win-acme and was getting a valid certificate - placed in Personal folder- But even after inserting the thumbprint - it'll still only shows the local selfsifned certificate - when access Qlik ! 

So basicly I have a Valid Certificate from lets encrypt - But even following the different guide and powershell script - it'll still only shows the local selfsigned certificate from the Qlik Installation

What am I missing h

ere - since the problem remains the same! 

Thanks in advance !

Hey @mathiassen ,

Getting the certificate was the hard part in my experience! So I guess you're doing well already! 😁

When I run wacs.exe and choose "Manage renewals" and then "Show details for the renewal", among other stuff this is what it is showing me:

I blurred the id, not that it really is sensitive... but still! 

Did you try running that command on it's own? Does it do anything? Actually one more step back: if you manually update the Thumbprint from the QMC, does it work? Does it pickup the certificate and allows for proper browsing of Qlik without security notices?

If yes, then the next step is automation: to recap, you need to install ahaydon/Qlik-Cli-Windows in PowerShell first. Then try to update the Thumbprint with the command that I captured above, making sure you use your correct proxy id. To manually test is enough to launch PowerShell and just type "Update-QlikProxy etc etc...", but when configuring wacs.exe, the "script" to use is the PowerShell executable and everything else is parameters.

I hope this helps!

the shortcut way is:

- install IIS on the same server on qlik sense

- change Qlik Sense proxy port (for example 8080 to http and 4343 for https)

- configure IIS for proxy reverse to localhost 8080 and localhost 4343

- using ACME for certificate IIS.

That's fine if you have your Qlik Sense server exposed publicly though. 

Thanks @Chernov for the idea and we know it has been here for a while. We did some investigation and we have to unfortunately let you know that we are not able to change the installer flow like that. You can of course configure the deployment with your certificate of choice via the QMC, but after the installation has finished.

Best regards,

Thomas