Friday, March 17, 2017
Signalr on Azure [Part 1] - Intro
In the last month I've been involved in creating a new environment on Azure for a .Net web application which uses signalR.
Azure is used as infrastructure as a service.
Top requirements for the new environment:
a) Start using Azure Resource Manager deployment model . Old environment was build using the classic deployment model.
b) Start using a load balancer in front of 2 virtual machines , for building a web farm which can scale out when needed.
The two machines needs to be build so that all the time at least one should be up and running no matter what.
c) Find the best approach to scale out signalR in azure.
d) All of the above are budget constrained.
In the next posts I will try to cover the investigation made and decisions taken to get to the end result :
a new Azure environment which meets the above expectations.
HTTPS on Windows with IIS certificate using Let's Encrypt
In order to enable HTTPS for a website you need to get a certificate from a Certificate Authority (CA).
Most of the CA authorities offers paid certificates.
But Let's Enrcrypt is a free CA .
To be able to use free certificates from Let's Encrypt you need to demonstrate that you are in control of the domain for which you want a certificate.
This is done using software which use ACME protocol.
How you can do this on windows machines running IIS :
2. In case you have a custom HTTP module running in IIS which is removing the Server header from the response , disable it while you are setting up the certificate and also when you are renewing it .
Most of the CA authorities offers paid certificates.
But Let's Enrcrypt is a free CA .
To be able to use free certificates from Let's Encrypt you need to demonstrate that you are in control of the domain for which you want a certificate.
This is done using software which use ACME protocol.
How you can do this on windows machines running IIS :
A Powershell library that provides access to many (but not yet all) commands of the ACME API.
This is a ACME windows CLI client built in native .net and aims to be as simple as possible to use.
Certify is a visual GUI based tool built on top of ACMESharp library.
It is still in alpha version , but is a promising tool.
It is still in alpha version , but is a promising tool.
The easiest to use , from my point of view , is letsencrypt-win-simple .
Why ?
Before running it make sure that you do the next in IIS :
1. Go to IIS manager and on the server select Handler Mappings , then View ordered list from the right menu . Scroll down to find StaticFile handler and make sure it is above the Extensionless handlers, like in the bellow picture.
1. Go to IIS manager and on the server select Handler Mappings , then View ordered list from the right menu . Scroll down to find StaticFile handler and make sure it is above the Extensionless handlers, like in the bellow picture.
2. In case you have a custom HTTP module running in IIS which is removing the Server header from the response , disable it while you are setting up the certificate and also when you are renewing it .
3. On the bindings of the web site for which the certificate is requested , make sure that the host name is filled in the binding settings section
After running the tool you will get the certificate in IIS .
Update : 21/03/20017
After you get the certificate you might wan to :
1. Revert StaticFile handler to it's original position .
Why ? If you have an application under your website in iis, which for example is an web api , it will no longer work until you revert the Staticfile handler to it's original position.
After running the tool you will get the certificate in IIS .
Update : 21/03/20017
After you get the certificate you might wan to :
1. Revert StaticFile handler to it's original position .
Why ? If you have an application under your website in iis, which for example is an web api , it will no longer work until you revert the Staticfile handler to it's original position.
Thursday, March 16, 2017
How to create a cer file from a pfx
If you want to extract client certificates, you can use OpenSSL's PKCS12 tool.
openssl pkcs12 -in input.pfx -out mycerts.crt -nokeys -clcerts
The command above will output certificate(s) in PEM format. The ".crt" file extension is handled by both macOS and Window.
You mention ".cer" extension in the question which is conventionally used for the DER encoded files. A binary encoding. Try the ".crt" file first and if it's not accepted, easy to convert from PEM to DER:
openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer
openssl pkcs12 -in input.pfx -out mycerts.crt -nokeys -clcerts
The command above will output certificate(s) in PEM format. The ".crt" file extension is handled by both macOS and Window.
You mention ".cer" extension in the question which is conventionally used for the DER encoded files. A binary encoding. Try the ".crt" file first and if it's not accepted, easy to convert from PEM to DER:
openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer
Etichete:
Certificates,
ClientCertificate,
IIS,
Openssl,
SSL
Thursday, February 23, 2017
.NET Assembly Information
In case you have a bunch of dlls served by a third party as dependencies to your system , before going live you want to check to see if all the dependencies are built in release mode .
I found a nice tool which let you see :
1) Compilation mode Debug\Release.
2) .NET Assembly full name
3) .NET Assembly references recursively
You can find it here: http://assemblyinformation.codeplex.com/
I found a nice tool which let you see :
1) Compilation mode Debug\Release.
2) .NET Assembly full name
3) .NET Assembly references recursively
You can find it here: http://assemblyinformation.codeplex.com/
Etichete:
.Net,
Compilation,
Dependency,
DLL,
GoLive
Wednesday, January 18, 2017
How to create .pfx file
In order to use in IIS (version 8 ) https we need to import a certificate which has to be associated to https binding .
If you buy or get a free ssl certificate you can convert it to a pfx file like this :
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
Openssl can be downloaded from here.
If you have a root CA or intermediate certificate you can append it by supplying multiple -in parameter:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt
Now that you have the pfx you can just import it in IIS 8 and use it .
If you buy or get a free ssl certificate you can convert it to a pfx file like this :
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
Openssl can be downloaded from here.
If you have a root CA or intermediate certificate you can append it by supplying multiple -in parameter:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt
Now that you have the pfx you can just import it in IIS 8 and use it .
Free domain and ssl certificate
In case you are in a rush and you need a free domain and a free certificate to have your website under ssl you can use the bellow to achive this :
freenom.com - free domains
https://www.sslforfree.com - free certificates
Subscribe to:
Posts (Atom)