Use a Let’s Encrypt certificate for SAP HANA or SAP NetWeaver AS ABAP

You’re running SAP HANA Express Edition in one of the cloud providers like AWS, Azure or Google Cloud Platform? Or you run an NetWeaver AS ABAP Developer Edition or a SAP Cloud Appliance Library instance? Then I think you’re familiar with this warning message of your browser:

I want to show you how you can get rid of this security warning. Below you will find how you can use a free Let’s Encrypt certificate for your SAP HANA or SAP NetWeaver Applicaiton Server ABAP. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). And not only it is free, it is trusted in all current Browsers.

These are the basic steps to use a Let’s Encrypt certificate:

• Make sure your server is accessible with a public DNS entry
• Check firewall settings and open port 80 (http) from external
• Create certificate signing request (CSR) in SAP HANA or AS ABAP
• Install letsencrypt-nosudo using git or copy via scp
• Run letsencrypt-nosudo to get the CSR signed
• Import the certificate in SAP HANA or AS ABAP

Public DNS entry for your system

When you’re on Microsoft Azure you can very easily get a DNS entry when you open the Public IP address configuration of your machine. There you can set a DNS name label which will then be the systems hostname. The fully qualified domain name (FQDN) consists of the DNS name label and the long name below ending with .cloudapp.azure.com:

Open firewall on port 80

As the Let’s Encrypt domain validation will be done via a http request on port 80 you have to open this port on the firewall.

Install letsencrypt-nosudo

Update 2020-11-11: The project isn’t maintained anymore and the V1 version that is support doesn’t create new certificates.

Login to your server and clone the letsencrypt-nosudo repository with the following command:

git clone https://github.com/diafygi/acme-nosudo.git

after the repository is cloned switch into the subfolder that was created:

cd acme-nosudo

Install acme.sh

Follow the the installation instructions for acme.sh.

Create certificate signing request (CSR)

For HANA and ABAP you have store the CSR as domain.csr in the acme-nosudo folder on the server where you’ve installed letsencrypt-nosudo.

HANA

Follow the description Configure HTTPS (SSL) for Client Application Access.

ABAP

Please follow the detailed description at Enabling SSL (HTTPS) on SAP Gateway.

Run letsencrypt-nosudo to get the CSR signed

Please follow the detailed description at How to use the signing script to get the CSR signed.

Run a webserver on port 80

To get your CSR singed, the ACME protocol needs to access a specific file via a web server running on the hostname requesting the certificate. Please find out where the document root of this webserver is located. On the SUSE Linux system where I’ve tested it was

/srv/www/htdocs

Run acme.sh

Follow the instructions Issue a cert from existing CSR and provide via the -w parameter the document root from the previous step.

Import the certificate in SAP HANA or AS ABAP

As the final step follow the instructions linked above for the CSR creation to import the certificate that you’ve got from Let’s Encrypt. Before you can import your own certificate you need to import the Let’s Encrypt signing certificate and the ISRG Root OCSP X1 root certificate that you can download from https://letsencrypt.org/certificates/. In ABAP you can import them starting with the root certificate in transaction STRUST. For HANA the best way is to copy all certificates into one text file that you import in one go.