Configuring IIS7 and ELB for HTTPS using wildcard common name

I have recently been asked to add support for HTTPS on one of our web applications. With little to no experience on how to perform this kind of operation, my first thought was, oh, shouldn’t be too hard, take the certificate and plug it in the web server and let’s go for a drink… not really what happened. I’ll try to give the maximum details with the references to help anyone in this process.

Let’s start by the environment I am running:

  • Couple of IIS7 Web Servers
  • Amazon Elastic Load Balancer (ELB)
  • DigiCert Certificate (any trusted provider should work)
  • Wildcard domain (*.mydomain.com)

To create your certificate you will need to send a CSR to your provider.

For IIS 7 Follow the instruction below:

  1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
  2. Click on the server name.
  3. From the center menu, double-click the “Server Certificates” button in the “Security” section (it is near the bottom of the menu).
  4. Next, from the “Actions” menu (on the right), click on “Create Certificate Request.” This will open the Request Certificate wizard.
  5. In the “Distinguished Name Properties” window, enter the information as follows:
    Common Name – The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
    Organization – The legally registered name of your organization/company.
    Organizational unit – The name of your department within the organization (frequently this entry will be listed as “IT,” “Web Security,” or is simply left blank).
    City/locality – The city in which your organization is located.
    State/province – The state in which your organization is located.
    Country/region – If needed, you can find your two-digit country code at http://www.digicert.com/ssl-certificate-country-codes.htm.
  6. Click Next.
  7. In the “Cryptographic Service Provider Properties” window, leave both settings at their defaults (Microsoft RSA SChannel and 2048) and then click next.
  8. Enter a filename for your CSR file.
    Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

The full tutorial with screenshot and video is located at http://www.digicert.com/csr-creation-microsoft-iis-7.htm

You provider should then generate the SSL certificate and you should be able to download them in appropriate format for IIS. I would recommend using individual .crts in zipped format. You would find bunch of files and the one that will be of interest is the star_mydomain_com.crt. You can now complete your request on IIS by following steps 1 to 3 from the CSR request instructions and then the forth step would be to use the “Complete Certificate Request” from the option pane.

Complete Certificate Request

One important thing to note here is that if you have a wildcard domain the Friendly Name used to complete the CSR should be exactly the same as your common name : *.mydomain.com (this might not seem very important, but you will see the importance afterwards) If you already imported the certificate, you can use the Certificate Services MMC snap-in to change the friendly name of the certificate, find more on this page : http://technet.microsoft.com/en-us/library/cc753195%28v=ws.10%29.aspx

Once done, you can duplicate your certificate for use on your other IIS boxes if any and repeat the same steps.

Let’s jump to the configuration of our Elastic Load Balancer (Amazon ELB) to support HTTPS and import our certificate there. There are several technique and ways to do that. I will use the one that has been working in my case.

Find the basic reference on Amazon Web services ELB documentation http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenarios.html

Amazon Elastic Load Balancer HTTPS Setup

You will need to fill in the following fields:

Certificate Name:* – Any meaningful name to recognized your certificates afterwards

Private Key:* – RSA PRIVATE KEY

Public Key Certificate:* – Public key

This is where it becomes a bit touchy; you don’t have this information from your basic CSR or the certificate you need to use OpenSSL to generate them.

First you need to SSL Certificate / Export your private key, try these steps:

  1. Start the Microsoft Management Console  > Run mmc.exe
  2. Click the ‘Console’ menu and then click ‘Add/Remove Snap-in’.
  3. Click the ‘Add’ button and then choose the ‘certificates’ snap-in and click on ‘Add’.
  4. Select ‘Certificates’ and click ‘Add’.
  5. Select ‘Computer Account’ then click ‘Next’.
  6. Select ‘Local Computer’ and then click ‘OK’.
  7. Click ‘Close’ and then click ‘OK’.
  8. Expand the menu for ‘Certificates’ and click on the ‘Personal’ folder.
  9. Right click on the certificate that you want to export and select ‘All tasks’ > ‘Export’.
  10. A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.

You can find the illustrated tutorial on this page: http://nl.globalsign.com/en/support/ssl+certificates/microsoft/all+windows+servers/export+private+key+or+certificate/
You need to have OpenSSL on your machine for the next step http://www.openssl.org/

Export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Remove the passphrase from the private key

openssl rsa -in key.pem -out server.key

Use the data in the server.key file for the Private Key:* required by ELB and you will now need to download a PEM version of your SSL certificate from your provide which will include all keys. Then take the first part of
—–BEGIN CERTIFICATE—–
Lots of fancy HEX here!!!
—–END CERTIFICATE—–

Copy and paste it in the Public Key Certificate:* and Amazon ELB should accept your certificate.

Update #1 for configuration of ELB:

There is also one more thing that would avoid configuration of ELB, you can just set the TCP port 443 as inbound and outbound and your web server will act as the SSL termination. This should work straight forward.

HTTP Logs Analysis using Microsoft Log Parser

While there are several tools freely available on the web to analyze your website traffic and they are doing great at this (Google AnalyticsGoogle Webmaster ToolBing Webmaster tool …). These tools provide great and free value to track your traffic and troubleshoot potential issues on your website. As any tool available they have some limitations and the need to find alternative/complementary solutions becomes necessary.

In this post I will discuss the use of Microsoft Log Parser to analyze “hits” on your web server  Any website of different size or complexity comes to have these different types of problems with time:

1)    Change of URL
2)    Removing old pages
3)    Error pages

To some extend the tools mention above will show you these errors, but they might not be exactly what you seek in a real data analysis perspective. Let’s take for example Error pages, some of your pages crashes sending HTTP 500 Status Code, you might not be able to recover data using the normal Google Analytics Javascript depending of how you are treating these crashes.

One way to get access to these data is to analyze you web server logs (if they are active of course). So as not to get too detailed in the explanation find below some utility code that will help you troubleshoot issues in your application. (After installing Log Parser you will be able to run the below syntax from command line)

HTTP 200 OK from Google Bots
[SQL]
LogParser.exe “SELECT date, count(*) as hit INTO HTTP200.jpg FROM Path\to\Logs\*.log WHERE cs(User-Agent) LIKE ‘%%google%%’ AND sc-status = ‘200’ GROUP BY date ORDER BY date” -i:w3c -groupSize:800×600 -chartType:Area -categories:ON -legend:OFF -fileType:JPG -chartTitle:”HTTP 200 Hits”
[/SQL]

HTTP 301 Permantly Moved Google Bots
[SQL]
LogParser.exe “SELECT date, count(*) as hit INTO HTTP301.jpg FROM Path\to\Logs\*.log WHERE cs(User-Agent) LIKE ‘%%google%%’ AND sc-status = ‘301’ GROUP BY date ORDER BY date” -i:w3c -groupSize:800×600 -chartType:Area -categories:ON -legend:OFF -fileType:JPG -chartTitle:”HTTP 301 Hits”
[/SQL]

HTTP 4xx Not Found / Gone Google Bots
[SQL]
LogParser.exe “SELECT date, count(*) as hit INTO HTTP4xx.jpg FROM Path\to\Logs\*.log WHERE cs(User-Agent) LIKE ‘%%google%%’ AND sc-status >= 400 AND sc-status < 500 GROUP BY date ORDER BY date” -i:w3c -groupSize:800×600 -chartType:Area -categories:ON -legend:OFF -fileType:JPG -chartTitle:”HTTP 4xx Hits”
[/SQL]

These queries will produce nice graphs of how much HTTP 200,301,4xx hits you receive per day while the Google bot is crawling you site.

You can also easily find out the same thing for your users by changing the cs(User-Agent) LIKE ‘%%google%%’ to cs(User-Agent) NOT LIKE ‘%%bot%%’.

Of course these are approximated to a certain level, because not all bots add the keyword “bot” to use user-agent.

Hoping this can come in handy. If you have more queries to share, drop by and put a comment.
Further readings :

http://blogs.iis.net/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx

http://logparserplus.com/

Using windows hosts file

Windows hosts file, located under “[SystemDriveLetter]:\Windows\System32\drivers\etc” is very useful when you have to test your web applications hosted either locally or on a remote server and you do not wish to map them to your DNS.

Let’s take an example where you have a website named : http://www.my-simple-web-application.com. You will most likely have 3-4 versions of the application dev, preprod, test, live (where live would be http://www.my-simple-web-application.com)

To facilitate testing you could come up with a standard way of addressing these environments :

http://dev.my-simple-web-application.com
http://preprod.my-simple-web-application.com
http://test.my-simple-web-application.com

Each of these sub-domains might point to the same or different servers. This is where the hosts file comes handy, you can configure something like :

127.0.0.1 dev.my-simple-web-application.com
127.0.0.1 preprod.my-simple-web-application.com
127.0.0.1 test.my-simple-web-application.com

In this example all IP addresses are local, you can change them as needed, beware that this configuration should be place on each desktop (development and test) that you want to use these sub-domains.

On another note, this configuration can also be achieve network wide if you have a configurable router where you can add global hosts.

There a number of other situations where hosts file can be helpful :
1) You are migrating your website to a new server, in this case you can specify you existing domain name in the hosts file and point it to the IP of the new server
2) You have multiple web servers hosting the same application and one of them is not working properly you can target the mischievous server and change your host file to point only this server.

IIS: Redirection from non-www to www domain

The problem today, is that we have a great asp.net website but search engines are indexing the http://greataspnetwebsite.com instead of http://www.greataspnetwebsite.com, this is commonly seen on the web and there are several ways to archive a good result for making the non-www to www domain. This redirection should be a 301 Permanently Moved, otherwise you will might lose your search engine indexed page or become duplicate content for your non-www and www domain. Here are easy steps how to archive a quick and clean Permanent Redirection using IIS.

Consider the case where we already have a website in IIS called: greataspnetwebsite.com

  • Go to IIS Manager
  • Create a new website that point to the same directory as your existing one
  • Select the newly created website, open the properties box
  • In the option button “When connecting to this resource the content should come from” should be change to “A redirection to a URL
  • Specify the URL http://www.greataspnetwebsite.com
  • Select the check box that says “A permanent redirection for this resource.”

IIS Log Archiving

You need to archive your IIS Log often so as not to get your log folder full with HTTP Logs.

I have been searching for some quick implemented solutions for performing this IIS Log archiving task and found some quiet nice discussions and article about it. Here are the links to the different post and forums that talk about a solution to solve this issue:

http://blogs.thesitedoctor.co.uk/tim/2007/02/10/Automatically+Delete+Old+IIS+Log+Files.aspx

http://www.iislogs.com/ (Tool to automate maintenance of IIS Log)

http://forums.webhostautomation.com/showthread.php?t=5053

http://forums.iis.net/p/1022450/1388469.aspx

On my side i need something with a bit more functionality so, i modified some of the scripts that i could find on the different article related above and came up with a solution that can.

  • Compress each log file found in your websites folder
  • FTP the compressed files on a foreign server ( Keeping historic of your IIS log ) Uses Chillkat Free FTP ActiveX
  • Delete them from your disk afterward

You can launch this process everyday and there will be no log that is older than a specified number of days on your server.

Requirement for this solution to work:

You can download the script here.

See the entire script in the full post.

Continue reading…

Web based Adobe Photoshop anounced

This announcement was made by Adobe chief executive on 27/02/2007.

Hoping to get a jump on Google and other competitors, Adobe Systems plans to release a hosted version of its popular Photoshop image-editing application within six months, the company’s chief executive said Tuesday.

Yes that what it is about… one or the most biggest guys in photo/video editing software industry building up PC/MAC Applications is trying to go WEB. Creating a free open web space build up on the popular photoshop software, with ads as main revenue. They have have already shown themselves up with Adobe’s Remix that will be provided free of use to all Photobucket members soon.

How is it gonna be. We’ll Adobe take out the WHOLE Web market on photo editing online… for that we’ll have to wait and see.

Sources:
Cnet
Techcrunch
Webware

Migration from shared hosting to MediaTemple(mt) Grid-Server(gs)

As from today, wacdesigns.com will be hosted by Media Temple (mt) with the Grid-Server (gs) technology 🙂 so a quick explanation about Media Temple offer.

Featuring…

  • 100 GBs of premium storage
  • 1 TB of short-path bandwidth
  • Host up to 100 individual sites
  • 1000 email accounts
  • 64 MB Ruby/Mongrel container
  • and much more…

The (gs) Grid-Server currently features the following versions of software:

  • PHP 4.4.4
  • PHP 5.1.6
  • Perl v5.8.4
  • Python v2.3.5
  • Apache 2.0.54
  • MySQL 4.1.11
  • PostgreSQL 7.4.7

The grid-server compared to the shared hosting packages provided a better handling of what is commonly known as the “bad neighbor effect“… read more here.

The migration from my old hosting plan on another server to Media Temple was quiet tricky, got issues like character encoding and the tool provided by MySQL for data migration is, how can i say, i bit difficult to handle compared to DTS tool provided by SQL Server… Finally i managed to get my data to the new server manually by generating INSERT Scripts…. 🙁

But now that’s its done i am pretty good, and i can now begin to get some pretty good things going on the blog, since i have much much more webspace and bandwidth 😉