Free SSL Cert for DNN using Let's Encrypt

So you want to use the fairly new Let's Encrypt free SSL cert with your DNN website? Here are the steps to do that. It wasn't as easy as I thought it would be, but I'll save you the suffering.

Before we get started, this assumes you have access to the web server and IIS. This likely won't be of any help if you're using a shared hosting plan.

Step 1 - Preparing DNN##

Problem

This was the first gotcha I encountered: During the command line setup and creation of the cert using Let's Encrypt Win Simple it has a step that after creating the cert it puts a verification file in your website directory (/.well-known/acme-challenge/file name). Well since that isn't a DNN page it causes issues with the DNN URL routing and throws a 404 error. So it's not able to verify the file, therefore you're stuck.

Solution

In order to get DNN to serve the verification file and not throw a 404, you've got 2 options:

Option 1 - Disable Advanced URL Management (AUM)

This is likely not the best solution as AUM gives you cool things like pretty URLs (instead of site.com/contact you'll have site.com/contact.aspx). But if you don't care about that, this is the easiest solution.

Simply replace "Advanced" urlFormat in web.config with "humanfriendly" as shown below:

<friendlyUrl defaultProvider="DNNFriendlyUrl">
      <providers>
        <clear />
        <add name="DNNFriendlyUrl" type="DotNetNuke.Services.Url.FriendlyUrl.DNNFriendlyUrlProvider, DotNetNuke.HttpModules" includePageName="true" regexMatch="[^a-zA-Z0-9 _-]" urlFormat="humanfriendly" />
      </providers>
</friendlyUrl>

Option 2 - Install URL Management Module

This is the preferred method, as it keeps your pretty URLs and gives you additional benefits. Though it is more involved.

  1. Download and install DNN URL Management module
  2. Add the module to your site per instructions. I added 2 "URL Management" pages, one under Admin and one under Host
  3. Add the module to each of those pages. Once added, it has 2 separate modules, one for admin (portal) and one for host. Delete the instance that doesn't belong
  4. On the page you created under the admin menu, go to the URL Management module and click on the "Regular Expressions" tab
  5. In the first setting called "Ignore URL Regular Expressions" add the following to the end, inside of the last parenthesis: |\.well-known
  6. Just to clarify, before that change the end of that string looked like "...txt$))", now it looks like "...txt$)|\.well-known)" without the quotes of course
  7. Now click "Update" on the bottom of the module
  8. You should be all set now. We'll verify that later once we setup the cert.

Step 2 - Setting up the Cert

Prerequisite

If you're planning on redirecting your site so all variations go to once place (i.e. www.domain.com, domain.com, https://domain.com, all point to https://www.domain.com) then do this.
Set up 2 bindings in IIS for your site. One for www.domain.com and one for domain.com. We'll add in the https versions later.

Cert Installation

For this part, I followed this great guide by Rick Strahl and selected his first approach using Let's Encrypt Win Simple.

Here are the basic steps:

  1. Install Win Simple on your web server
  2. Using the command line cd to the directory for Win Simple. For me this was C:\utilities\LetsEncryptWinSimple
  3. After cd'ing to that directory, simply run LetsEncrypt in that directory
  4. Now you should see a list of the available IIS site bindings listed in the command window. Select the one for the site you're setting up (If you followed the prereq above, you should see 2 listings, one with and one without www. Pick either one and we'll run this process again for the additional binding).
  5. == This is the step where we'll find out if our DNN setup was done properly. == If all is well you'll be prompted with "Do you want to specify the user the task will run as?" question. If you get a red error about not being able to access the answer file (domain.com/.well-know/acme-challenge/filename) then DNN is still having issues serving that file. Copy the URL to that file and attempt to open it in a browser. If you're getting a 404 then you've got work to do.
    • verify that folder has proper access permission
    • verify the regex from step 1, option 2 was done properly

** If you've got multiple bindings for the same site (www and non-www) then run steps 2-5 again and select the binding that you didn't pick the first time **

If you got through that will no errors, then you're ready for the next step.

Add HTTPS Bindings

The process above should have automatically added bindings for https. Verify that you now have 4 total bindings and that the https bindings use the proper SSL cert (you should have 2 certs, one with and one without www).

Setting Up Automatic Renewals

The certification renewal task is initially configured to "run only when user is logged on". Here's the easy workaround for that.

While you can just leave it to run under the account the cert was setup with. I chose to create a service account to have it run under.

Step 3 - URL Redirects

You should now be able to navigate to your site and see that's it's using https. However, as it currently stands, it accepts domain.com, www.domain.com, https://domain.com, and https://www.domain.com. Let's tidy that up.

Add the following rewrite rules in the <system.webServer> tags in your web.config file:

<rewrite>
		<rules>
			<rule name="Redirect non-www to www" patternSyntax="Wildcard" stopProcessing="true">
				<match url="*" />
				<conditions>
					<add input="{HTTP_HOST}" pattern="domain.com" />
				</conditions>
				<action type="Redirect" url="https://www.domain.com/{R:0}" />
			</rule>
                <rule name="http to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
                </rule>			
		</rules>		
	</rewrite>

== Note: Make sure to replace "domain.com" above with your actual domain. ==

There you have it, you should now be all set with a free SSL cert for your DNN site.