Moving to SSL / HTTPS

Recently I have walked the talk and have moved my personal site to HTTPS.

Although I have already moved, redirected and configured many many web front end to use SSL, I haven’t got around to implement this to my own websites. In comparison, my site is not a transactional site or doing any registration – I only use this as my portfolio site as well as a live test environment where I can experiment, learn, validate and do pretty much everything without any impact to anyone but me.

There are a lot of articles here, herehere, here, here and there regarding the pros and cons of having a site over HTTPS.  Basically from what I am reading now is it has an additional cost and additional load but it has to be done.

And thanks to modern tech, the move is fairly easy:

  1. Choose your CA. – Validation and Order
  2. Create CSR – Using a tool or MMC / Inetmgr
  3. Install PFX to your website. – Azure Website Basic Tier and Above.
  4. Auto redirection – using IIS URL Rewrite Rules (Azure) with a demo of TFS Online 🙂

So here’s my contribution to the secure modern web! Happy SSL!

image_thumb[5]_thumb

So this exercise got me thinking, we are really in the age of the cloud service already. From requesting certificates to installation, scaling my application and even a source code rebuild-test-deploy scenario and I haven’t touched not a single MMC or any server directly. The old concepts are there from web deploy about file being used or using a IIS manager to request for a CSR and fulfilling the certificate request but in a modern way. Difference is I used to do MSTSC but now, I am talking to the web browser. This could have taken days to do or even weeks not to mention there would be misconfiguration from my end but now, I am up and running “as I wish”.  Hmm. 🙂

Advertisements

Moving to SSL / HTTPS-PART 4

“We deprecated the hosted XAML build controller on July 1st 2017. We recommend that you migrate to our new build system. However if you still need to run XAML builds during the migration then you must set up a private XAML build controller now”.

Yes yes. I forgot to upgrade. Lets move on.

So in order to do publish, we just need to login to our visualstudio.com account and go to the project that we need to publish.

There is a tab called Build and Release, and there should be an Azure web app template.

A

Once applied, you need to first choose which Solution to build and deploy, kinda like WEBDEPLOY before.

B

Then we need to link our azure account and then choose which app service to deploy on.

C

The link happens when you authorize your visual studio by logging in to your azure account. Note that this is a pop-up.

D

Then click refresh if you dont see your app service on drop-down.

E

Then viola, you can now save or save and then already queue for deployment.

G

This should queue up and warm up an available agent again, like WEBDEPLOY before.

H

Once the Agent fires-up the deployment, you will notice that the scripting engine and console is going to be shown and you will see the progress of this.

I

Aha! You are still using WEBDEPLOY! Long live web deploy!

J

NOOOOOOO! Okay, new Relic is giving me a bump. Like the old WEBDEPLOY, file is in used so therefore you cant override and your deployment task will fail.

K

As I remember, its just as easy as:

<EnableMSDeployAppOffline>true</EnableMSDeployAppOffline>

Or we could just easily do a slot deployment and switch slots after . I just remembered that I am on B1 tier in Azure. There is no slot deployment for that! Great.

I remembered, this is my PERSONAL site, no one visits this or any use of this. Lets just stop the site.

So lets do this, lets insert two deployment task in the build definition. One to stop and one to start, effectively a sandwich before and after deployment. So add an Azure App Service Manager task.

L

The first one, stop the App Service. You know which subscription and app service to stop.

M

After the Azure Service Deployment task, we should start the service.

N

Lets try it out, save the build definition and queue build!

O

Aha! Stop worked!

Q

Publishing.. Yes!

R

Build says its okay and was deployed successfully.

image

This got me thinking, we are really in the cloud already and from requesting certificates to installation, scaling my application and even a source code rebuild-test-deploy that I haven’t touched not a single MMC or any server directly.

Moving to SSL / HTTPS-PART 3

Azure Websites Basic Pricing Tier (SSL Support)

So you now have an SSL Certificate? Lets install it to your Azure Website. I distinctly remember, in order for you to have a custom domain (without the .azurewebsite.net), you have to be in the D1 Shared instance in which I am right now.

So from D1 Shared, I upgraded to B1.

23

24

Once upgraded, you can now go the SSL settings. You can search it thru the web app settings and in there, click Upload Certificate.

25

Now remember the PFX file that we created on the earlier part? Use that and use the password that we added when we exported the PFX.

26

27

28

Still within SSL settings, we now have to bind the uploaded SSL with the domain that we want to secure. Click SSL Bindings.

29

Choose the SNI SSL after using the hostname and certificate name combination. Then click Add Binding.

30

So that’s it, in just 3 easy steps we already have a working SSL Certificate bound to our site.

31

Now to check, lets go to https://www.johndelizo.com/ using chrome and IE.

32

Valid certificate! Sweet!

33

But our old http only site is still active. So we may need to automatically redirect visitors from http to https. Rewrite should do this. Lets edit web.config!

So my TFS Online is linked to my Azure Websites. I already have a redirect before and should be a fairly easy web.config change, build deploy.

35

Oh no. I got a message: “We deprecated the hosted XAML build controller on July 1st 2017. We recommend that you migrate to our new build system. However if you still need to run XAML builds during the migration then you must set up a private XAML build controller now”.

36

I cant believe I never got around to update my own build! Okay, no time to waste, lets just create a new build definition. Stay tuned for part 4.

Moving to SSL / HTTPS–PART 2

On this Part 2: We are going to get our CER and PFX to be used for Azure.

Create Certificate Signing Request

There is a tool available thru Digicert website or you can do it manually over IIS. Since my target is to install this in Azure, I chose to use the tool they provided.

1

Lets use a Windows PC. So I will not have IIS Manager access to my Azure Website so we need to generate the certificate and then install it.

2

Download the tool, extract and run.

3

4

Click the SSL Certificate tab and click Create CSR.

image

This reminds me of the IIS Manager Create Certificate Request action but it should be straight forward. Click SSL and then make sure that your info is correct. Then click Generate.

6

Then copy the result to a notepad or clipboard can be enough.

7

Login back to your Digicert account and click the status of your order. There should be a Pending CSR there.

8

This opens up a pane and you can paste the CSR here.

9

I chose IIS 10 and then clicked continue.

10

Then viola, CSR Completed. This will then trigger an email where your .CER will be attached.

11

12

Unzip this to get the .CER and some instructions.

13

Go back to the DigiCert certificate tool and then import the CER. You need to get the *PFX out of this CER.

14

Once you clicked next, just enter your friendly name and then finish. It should show on the utility.

15

Like this:

16

Now lets export the PFX, just highlight the certificate and then click Export.

17

Export the private key, use PFX and all path if possible. Click Next.

18

Yes, like the MMC, you need to provide a password since you are exporting the private key as well.

19

Then save the PFX File to a location where you will pick up to install in AZURE.

20

You can now close this tool. Thanks DigiCert!

22

Moving to SSL / HTTPS–PART 1

Certificate Authority

For my CA I got DIGICERT (https://www.digicert.com) thru the MVP Program and got the SAN Certificate that can be used on multiple domains. 

A free alternative will be Let’s Encrypt (https://letsencrypt.org/) however you may need to use an Azure Site extension for this. 

I got started with Digicert by signing-up and then do the verifications. For me I was asked with only two requirements:

  • I have a currently active government issued photo ID (Suggest you don’t black out the address) that has your name, address and expiration date.
  • That you have control or ownership of the domain – They will send a link thru your postmaster emails. Be sure to check if these are active.

admin@<YOURDOMAIN.COM>
administrator@<YOURDOMAIN.COM>
webmaster@<YOURDOMAIN.COM>
hostmaster@<YOURDOMAIN.COM>
postmaster@<YOURDOMAIN.COM>

I must mention that they have a phenomenal customer service and will follow-up thru phone and email on your certificate order and help you on the requirement.

After the verification they will send you an emails confirming the verification. Got a personal email from an Engineer and the automated email. Mine just took a few hours after I did the requirements and I was able to continue with creating a CSR.

image_thumb[7]