Using Netcam Studio with Let's Encrypt Free TLS/SSL Certificates

ngcard · January 16, 2021, 9:59pm

I was able to configure Netcam Studio for https using a free certificate from Lets Enrypt. I have my own domain registered with no-ip.com (www.ngcard.net) and I set up a sub domain for use by Netcam Studio (ww2.ngcard.net) this uses dynamic DNS through no-ip.com. Up until now this subdomain was running on plain old http, so I was starting to see the mixed content issues with my main site.

To create a Lets Enrypt certificate I followed these instructions to install certbot on my Netcam Studio Server. I also had to make sure I port forwarded port 80 to the server because certbot uses this to prove that you own the server and also will automatically renew the certificate every 3 months. It’s safe to leave port 80 open since it will only be live while certbot is doing it’s thing. I run Netcam Studio on port 8100. Also if you run the Windows Defender Firewall, make sure you allow port 80 traffic for certbot - the certbot installer doesn’t do this for you.
Certbot Instructions | Certbot

I ran the command certbot certonly --standalone

Running certbot will prompt you for some information including the domain you would like to create a certificate for - I entered ww2.ngcard.net. It will then generate a certificate for you and place it in C:\Certbot\live[certificate_name]. It actually creates several variations. You want to use the one named fullchain.pem.

Since certbot creates pem files you will need to convert it to a pfx. You can do this various ways including online via this site SSL Converter - Convert SSL Certificates to different formats.

Once you have your fullchain.pfx file follow the netcam studio directions for importing the certificate into the Windows certificate store and copying to the Netcam Studio folder, and configuring the Netcam Studio configuration files.

Webrowsers are now much happier with my site Neal's Place - Webcams.

Henrik · January 17, 2021, 7:32am

Hi,
Thank you very much for this excellent tutorial and sharing this with our users.
-Henrik

matzeeg3 · January 19, 2021, 11:26pm

Did you do the certificate convert every 3 month by your own?

Henrik · January 20, 2021, 1:09am

Hi,
He writes:

-Henrik

matzeeg3 · January 20, 2021, 6:44am

Yes I read that but he write that he has to convert the certificate.

ngcard · January 27, 2021, 8:14am

I will let you know when the 1st renewal occurs. I think certbot updates the installed cert, but not certain.

ngcard · March 17, 2021, 9:23pm

Regarding the automatic renewal. There are some other problems to solve. Here’s what I did.

Each time the cert renews, you do need to convert it to a pfx, copy the pfx file to the Netcam Studio folder and also install the cert into the local store. To automate that I did this…

Download and install OpenSSL 64 bit for windows. You’ll end up with a folder that contains openssl.exe.
In this folder create convert.bat and save this in it. Modify the openssl path to wherever you installed it.

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\openssl\convert.ps1""' -Verb RunAs}"

In the same folder create convert.ps1 and save this in it. Again, modify the paths as needed. I’m also assuming you are running Netcamstudio as a service.

Stop-Service -Name "NetcamStudioSvc64"
& c:\openssl\openssl.exe pkcs12 -export -in C:\Certbot\live\ww2.ngcard.net\fullchain.pem -inkey C:\Certbot\live\ww2.ngcard.net\privkey.pem -out C:\openssl\fullchain1.pfx -passout pass:
Copy-Item "C:\openssl\fullchain1.pfx" -Destination "C:\Program Files\Netcam Studio - 64-bit\fullchain1.pfx"
Import-PfxCertificate -FilePath C:\openssl\fullchain1.pfx -CertStoreLocation Cert:\LocalMachine\My
Start-Service -Name "NetcamStudioSvc64"

Modify the “Certbot Renew Task” scheduled task to run as SYSTEM for it to work properly. Also modify the Action to add a posthook parameter to run the above scripts at renewal.

-NoProfile -WindowStyle Hidden -Command "certbot renew --post-hook 'c:\openssl\convert.bat'"

Henrik · March 18, 2021, 4:52am

Hi,
Thank you very much for information and solutions!
-Henrik

ngcard · January 1, 2022, 4:10pm

The certbot link changed.

kldeines · August 4, 2023, 2:02am

I am good with with ngcard’s set of commands until

Import-PfxCertificate -FilePath C:\openssl\fullchain1.pfx -CertStoreLocation Cert:\LocalMachine\My

which causes the error

Import-PfxCertificate : The PFX file you are trying to import requires either a different password or membership in an Active Directory principal to which it is protected.

I have added a password that I don't know where I got at the end of the  2nd line to -passout pass:password
If it is the wrong password, which is where I put my money, how/where do I get the password?
Kent

Henrik · August 4, 2023, 5:51am

Are you logged in as an administrator when you do this?

kldeines · August 6, 2023, 1:17am

yes I am acting as administrators. From what I see there is a way to set or associate a password with pfx files.
Steve D in his directions

Running Netcam Studio Server on SSL / HTTPS - Windows 10 and 11

writes about adding these lines to the config files. I assume that server.pfx is the name of the pfx certificate file. I can do that, But were does “WebServerCertificatePass” value “test” come from? Do I set it somewhere? Where and how is that set?

<add key="WebServerCertificate" value="server.pfx" />
    <add key="WebServerCertificatePass" value="test" />

He does describe a process for self created certificates, but I am using the Certbot path.

Kent

Henrik · August 6, 2023, 7:00am

You have two files in pem-format: fullchain.pem and privkey.pem
Windows use the pfx format so you must convert pem to pfx.
The pfx format consists of a certificate file xxxx.pfx and a password. In the conversion process from pem to pfx you must manually add a password. Remember that password since it is used in the NCS configuration file.

For the conversion you can either use openssl as ngcard shows above or an online converter website. I don´t know why you get the error with the openssl so I recommend to do this first so you know your pem certificate works. I used this online free service SSL Converter - Convert SSL Certificates to different formats
Add files and password as

In return you get the pfx file and remember the password.
Now follow point 1c and 2 in the post Running Netcam Studio Server on SSL / HTTPS - Windows 10 and 11
The name of the certificate are different in my post.

When configurations are done start NCS X server, blue icon. At the bottom it should now state https://computerIP:8100
When you start the clients make sure to enable https.
When this works all is fine with the certificate. If you want to automate like ngcard go back to the openssl and add a password to -passout pass:xxxxx

kldeines · August 8, 2023, 7:50pm

Thank you Henrik. Here is the powershell script I came up with:

#comment
#$DebugPreference="Stop"
#Write-Verbose
Stop-Service -Name "NetcamStudio.Service"

#set password that will be used in ncs config files. Note double quotes are used one place  and single quotes the other
# <add key="WebServerCertificatePass" value="'%3$@yP,[K/vQ'" /> 
$PlainTextPass = '%3$@yP,[K/vQ'

$pfxpass = $PlainTextPass |ConvertTo-SecureString -AsPlainText -Force

& "C:\Program Files\Git\mingw64\bin\openssl.exe" pkcs12 -export -in C:\Certbot\live\1234.no-ip.biz\fullchain.pem -inkey C:\Certbot\live\1234.no-ip.biz\privkey.pem -out D:\batch\fullchain1.pfx -passout pass:$PlainTextPass

Copy-Item "D:\batch\fullchain1.pfx" -Destination "C:\Program Files\Netcam Studio - 64-bit\fullchain1.pfx"
Import-PfxCertificate -FilePath D:\batch\fullchain1.pfx -CertStoreLocation Cert:\LocalMachine\My -Password  $pfxpass
Start-Service -Name "NetcamStudio.Service"
#Write-Output "Press any key to continue ..."
#$host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null