Friday, March 17, 2017

Signalr on Azure [Part 1] - Intro


In the last month I've been involved in creating a new environment on Azure for a .Net web application which uses signalR.

Azure is used as infrastructure as a service.

Top requirements for the new environment:

a) Start using Azure Resource Manager deployment model . Old environment was build using the classic deployment model.

b)  Start using a load balancer in front of 2 virtual machines , for building a web farm which can scale out when needed.
The two machines needs to be build so that all the time at least one should be up and running no matter what.
 
c) Find the best approach to scale out signalR in azure.

d) All of the above are budget constrained.

In the  next posts I will try to cover the investigation made and decisions taken to get to the end result :
a new Azure environment which meets the above expectations.

HTTPS on Windows with IIS certificate using Let's Encrypt

In order to enable HTTPS for a website you need to get a certificate from a Certificate Authority (CA).
Most of the CA authorities offers paid certificates.

But Let's Enrcrypt is a free CA .

To be able to use free certificates from Let's Encrypt you need  to demonstrate that you are in control of the domain for which you want a certificate.
This is done using software which use ACME protocol.

How you can do this on windows machines running IIS :
           A Powershell library that provides access to many (but not yet all) commands of the ACME                API.
          This is a ACME windows CLI client built in native .net and aims to be as simple as possible to           use.

           Certify is a visual GUI based tool built on top of ACMESharp library.
It is still in alpha version , but is a promising tool.

The easiest to use , from my point of view , is letsencrypt-win-simple .

Why ?
Easy to install and easy to run .

Before running it make sure that you do the next in IIS :

1. Go to IIS manager and on the server select Handler Mappings , then View ordered list from the right menu .  Scroll down to find StaticFile handler and make sure it is above the Extensionless handlers, like in the bellow picture.




2. In case you have a custom  HTTP module running in IIS which is removing the Server header from the response , disable it while you are setting up the certificate and also when you are renewing it .

3. On the bindings of the web site for which the certificate is requested , make sure that the host name is filled in the binding settings section

After running the tool you will get the certificate in IIS .

Update : 21/03/20017

After you get the certificate you might wan to :

1. Revert StaticFile handler to it's original position .
    Why ? If you have an application under your website in iis,  which for example  is an web api , it      will no longer work until you revert the Staticfile handler to it's original position.


Thursday, March 16, 2017

How to create a cer file from a pfx

If you want to extract client certificates, you can use OpenSSL's PKCS12 tool.

openssl pkcs12 -in input.pfx -out mycerts.crt -nokeys -clcerts

The command above will output certificate(s) in PEM format. The ".crt" file extension is handled by both macOS and Window.
You mention ".cer" extension in the question which is conventionally used for the DER encoded files. A binary encoding. Try the ".crt" file first and if it's not accepted, easy to convert from PEM to DER:


openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer

Thursday, February 23, 2017

.NET Assembly Information

     In case you have a bunch of dlls served by a third party as dependencies to your system , before going live you want to check to see if all the dependencies are built in release mode .

I found a nice tool which let you see  :
1) Compilation mode Debug\Release.
2) .NET Assembly full name
3) .NET Assembly references recursively

You can find it here: http://assemblyinformation.codeplex.com/

Wednesday, January 18, 2017

How to create .pfx file

In order to use in IIS (version 8 ) https we need to import a certificate which has to be associated to https binding .

If you buy or get a free ssl certificate you can convert it to a pfx file like this :

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

Openssl can be downloaded from here.

If you have a root CA or intermediate certificate you can append it by supplying multiple -in parameter:

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt

Now that you have the pfx you can just import it in IIS 8 and use it .


Free domain and ssl certificate


In case you are in a rush and you need a free domain and a free certificate to have your website under ssl you can use the bellow to achive this :

freenom.com  - free domains
https://www.sslforfree.com - free certificates