security

Free SSL Cert for DNN using Let's Encrypt

Free SSL Cert for DNN using Let's Encrypt

So you want to use the fairly new Let's Encrypt free SSL cert with your DNN website? Here are the steps to do that. It wasn't as easy as I thought it would be, but I'll save you the suffering.

Before we get started, this assumes you have access to the web server and IIS. This likely won't be of any help if you're using a shared hosting plan.

Step 1 - Preparing DNN

Problem

This was the first gotcha I encountered: During the command line setup and creation of the cert using Let's Encrypt Win Simple it has a step that after creating the cert it puts a verification file in your website directory (/.well-known/acme-challenge/file name). Well since that isn't a DNN page it causes issues with the DNN URL routing and throws a 404 error. So it's not able to verify the file, therefore you're stuck.

Solution

In order to get DNN to serve the verification file and not throw a 404, you've got 2 options:

Option 1 - Disable Advanced URL Management (AUM)

This is likely not the best solution as AUM gives you cool things like pretty URLs (instead of site.com/contact you'll have site.com/contact.aspx). But if you don't care about that, this is the easiest solution.

Simply replace "Advanced" urlFormat in web.config with "humanfriendly" as shown below:

<friendlyUrl defaultProvider="DNNFriendlyUrl">  
      <providers>
        <clear />
        <add name="DNNFriendlyUrl" type="DotNetNuke.Services.Url.FriendlyUrl.DNNFriendlyUrlProvider, DotNetNuke.HttpModules" includePageName="true" regexMatch="[^a-zA-Z0-9 _-]" urlFormat="humanfriendly" />
      </providers>
</friendlyUrl>  

Option 2 - Install URL Management Module

This is the preferred method, as it keeps your pretty URLs and gives you additional benefits. Though it is more involved.

  1. Download and install DNN URL Management module
  2. Add the module to your site per instructions. I added 2 "URL Management" pages, one under Admin and one under Host
  3. Add the module to each of those pages. Once added, it has 2 separate modules, one for admin (portal) and one for host. Delete the instance that doesn't belong
  4. On the page you created under the admin menu, go to the URL Management module and click on the "Regular Expressions" tab
  5. In the first setting called "Ignore URL Regular Expressions" add the following to the end, inside of the last parenthesis: |\.well-known
  6. Just to clarify, before that change the end of that string looked like "...txt$))", now it looks like "...txt$)|\.well-known)" without the quotes of course
  7. Now click "Update" on the bottom of the module
  8. You should be all set now. We'll verify that later once we setup the cert.

Step 2 - Setting up the Cert

Prerequisite

If you're planning on redirecting your site so all variations go to once place (i.e. www.domain.com, domain.com, https://domain.com, all point to https://www.domain.com) then do this. Set up 2 bindings in IIS for your site. One for www.domain.com and one for domain.com. We'll add in the https versions later.

Cert Installation

For this part, I followed this great guide by Rick Strahl and selected his first approach using Let's Encrypt Win Simple.

Here are the basic steps:

  1. Install Win Simple on your web server
  2. Using the command line cd to the directory for Win Simple. For me this was C:\utilities\LetsEncryptWinSimple
  3. After cd'ing to that directory, simply run LetsEncrypt in that directory
  4. Now you should see a list of the available IIS site bindings listed in the command window. Select the one for the site you're setting up (If you followed the prereq above, you should see 2 listings, one with and one without www. Pick either one and we'll run this process again for the additional binding).
  5. This is the step where we'll find out if our DNN setup was done properly. If all is well you'll be prompted with "Do you want to specify the user the task will run as?" question. If you get a red error about not being able to access the answer file (domain.com/.well-know/acme-challenge/filename) then DNN is still having issues serving that file. Copy the URL to that file and attempt to open it in a browser. If you're getting a 404 then you've got work to do.
    • verify that folder has proper access permission
    • verify the regex from step 1, option 2 was done properly

* If you've got multiple bindings for the same site (www and non-www) then run steps 2-5 again and select the binding that you didn't pick the first time *

If you got through that will no errors, then you're ready for the next step.

Add HTTPS Bindings

The process above should have automatically added bindings for https. Verify that you now have 4 total bindings and that the https bindings use the proper SSL cert (you should have 2 certs, one with and one without www).

Setting Up Automatic Renewals

The certification renewal task is initially configured to "run only when user is logged on". Here's the easy workaround for that.

While you can just leave it to run under the account the cert was setup with. I chose to create a service account to have it run under.

Step 3 - URL Redirects

You should now be able to navigate to your site and see that's it's using https. However, as it currently stands, it accepts domain.com, www.domain.com, https://domain.com, and https://www.domain.com. Let's tidy that up.

Add the following rewrite rules in the <system.webServer> tags in your web.config file:

<rewrite>  
        <rules>
            <rule name="Redirect non-www to www" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                <conditions>
                    <add input="{HTTP_HOST}" pattern="domain.com" />
                </conditions>
                <action type="Redirect" url="https://www.domain.com/{R:0}" />
            </rule>
                <rule name="http to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
                </rule>            
        </rules>        
    </rewrite>

Note: Make sure to replace "domain.com" above with your actual domain.

There you have it, you should now be all set with a free SSL cert for your DNN site.

Securing Your IIS Server With Forward Secrecy

Security is a big deal nowadays. Let's be honest, it should have always been a big deal. With the plethora of data breaches in the news, people are starting to take notice and secure things properly.

The first step in making sure your website is secured properly is securing the web server it's hosted on. Here are steps to do that if your running your own IIS web server and are planning to use an SSL cert. This should work for IIS 7.5/8.0/8.5.

Testing Your Server

  1. Run your server through this awesome [SSL Server Test] (https://www.ssllabs.com/ssltest/) provided by Qualys. You can enter a URL of a site on the server, or an IP address. Make sure to check the "do not show results" box if you don't want the world to see your results (I recommend this, at least on the first attempt so you don't expose yourself as vulnerable).
    SSL Server Test

  2. Review your results.
    SSL Server Test Results

    The goal is to to get an A or higher. Don't worry if you don't hit that on the first attempt. The SSL test will provide plenty of feedback on what needs to be fixed.

Securing Your Server

If your test results didn't come back as favorable as you'd hoped, here are a few options on how to fix those issues.

Caution: All of these options could potentially cause problems if done incorrectly. Proceed at your own risk!

  1. Google the issues that come up and manually edit the registry (not recommmended). That doesn't sound like much fun...let's have a look at some other options.
  2. Download and run IIS Crypto. This free tool allows you to enable/disable security settings with a few clicks using a GUI.
  3. Use this powershell script by Alexander Hass to set the security settings to the current best practices.

Redirecting Your Ghost (Pro) SSL Blog

If you've read this article on how to setup Ghost with free SSL then there are only a few steps left to make sure your SSL enabled Ghost blog is setup to handle all request (http, https).

The following steps assume that you've following all the instruction from the link above, including setting up your custom domain and forcing SSL in your blog settings (found at https://ghost.org/blogs/yourdomain/).

  1. In your cloudflare account, go to Page Rules
  2. In the URL Pattern box enter https://www.yourdomain.com/*
  3. Now turn on Forwarding and enter https://yourdomain.com/$1
  4. Finally set Forwarding type to Permanent - 301

Now repeat the steps 1-4, but just for http instead of https on both of URLs used

This setup is for forwarding all requests to https://yourdomain with no www. Just flip the forwarding rules above and set your custom domain to the www version in your ghost blog settings if you prefer the www on your domain.

IIS 8 - Redirect HTTP to HTTPS

I came across the need to redirect users who typed in http://site to the secured version https://site. Below are the steps on how to accomplish this.

  1. Make sure you've got the URL rewrite module installed in IIS. If you aren't sure if you do or not, you'll find out quickly when you can't find "URL Rewrite" in the steps below. Here are downloads for the 32bit version or the 64bit version.
  2. Select your website in IIS and then click on the "URL Rewrite" option in the features pane
  3. Once URL Rewrite screen is open, click the "Add Rules..." link in the right hand pane and enter the details as shown below.

  4. Select Blank Rule from the inbound rules section.

  5. Give it a descriptive name
  6. Match URL section:
    • Set Requested URL to Matches the Pattern.
    • Set Using to Regular Expression
    • Set Pattern to (.*)
  7. Conditions section. Click Add
    • Set Condition Input to {HTTPS}
    • Set Check if Input String to Matches the Pattern
    • Set Pattern to ^OFF$
    • Click OK
  8. Actions section

Now all request to that site should be 301 redirected to the https version of the site.