Setting up HTTPS: Difference between revisions
Line 67: | Line 67: | ||
Error opening site metabase key: 0x80070003 | Error opening site metabase key: 0x80070003 | ||
== Creating a single HTTPS web site on | == Creating a single HTTPS web site on NEOSYS hosted server == | ||
=== Creating a site in IIS === | === Creating a site in IIS === | ||
Line 73: | Line 73: | ||
Each client hosted on nl1/nl1b uses the same IP address, but unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP also needs to be configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites. | Each client hosted on nl1/nl1b uses the same IP address, but unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP also needs to be configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites. | ||
==== Creating a site in IIS in Windows 2003 | ==== Creating a site in IIS in Windows 2003 ==== | ||
The https options are only available after running selfssl (see below). | The https options are only available after running selfssl (see below). | ||
Line 79: | Line 79: | ||
[[Image:httpadvancedwebsitesetup.png]] | [[Image:httpadvancedwebsitesetup.png]] | ||
==== Creating a site in IIS in Windows 2008 | ==== Creating a site in IIS in Windows 2008 ==== | ||
Follow the procedures as explained in "Creating a single HTTPS web site on Windows 2008" | Follow the procedures as explained in "Creating a single HTTPS web site on Windows 2008" and add one port binding each for HTTP and HTTPS. | ||
=== Testing access to the new | === Testing access to the new HTTPS web site. === | ||
Make a subdomain '''clientname'''.hosts.neosys.com | Make a subdomain '''clientname'''.hosts.neosys.com | ||
https://'''clientname'''.hosts.neosys.com: | Open "https://'''clientname'''.hosts.neosys.com:44XX/neosys" in IE where 44XX is the designated port number | ||
If you get certificate error: | If you get certificate error: | ||
Line 94: | Line 94: | ||
#install the certificate into the client computer (double click the padlock, view certificates etc) | #install the certificate into the client computer (double click the padlock, view certificates etc) | ||
Closing all internet explorer versions and restarting is necessary for installed certificates to become effective. | |||
==Setting up HTTPS for installations with more than 1 database== | ==Setting up HTTPS for installations with more than 1 database== |
Revision as of 13:40, 4 September 2014
Creating a single HTTPS web site on Windows 2008
Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.
However please note that the command is different from the usual one:
C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /N:CN=NEOSYS-SERVER /K:1024 /V:9999 Microsoft (R) SelfSSL Version 1.0 Copyright (C) 2003 Microsoft Corporation. All rights reserved. Do you want to replace the SSL settings for site 1 (Y/N)?y Error opening metabase: 0x80040154 C:\Program Files\IIS Resources\SelfSSL>
/v:9999 means valid for 9999 days /s:866651215 is the site number in this case (site number is shown in IIS management screen) /p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443 /n:CN=hostname indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is hosted on the client server.
Ignore the error.
Next go to the IIS Manager and make sure the certificate was created and stored. Note that creating a certificate does not make it automatically bind to the website.
Once you make sure it is created, then click on Sites > Default Website and in the right pane select Bindings:
In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and press click on OK:
Then test the site from explorer to make sure it works.
Creating a single HTTPS web site on Windows 2003
Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.
then
C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:866651215 /p:4430 /n:CN=hostname Microsoft (R) SelfSSL Version 1.0 Copyright (C) 2003 Microsoft Corporation. All rights reserved. Do you want to replace the SSL settings for site 866651215 (Y/N)?y The self signed certificate was successfully assigned to site 866651215.
/v:9999 means valid for 9999 days /s:866651215 is the site number in this case (site number is shown in IIS management screen) /p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443 /n:CN=hostname indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is hosted on the client server.
You probably made a mistake in the site number if you get the following message.
Error opening site metabase key: 0x80070003
Creating a single HTTPS web site on NEOSYS hosted server
Creating a site in IIS
Each client hosted on nl1/nl1b uses the same IP address, but unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP also needs to be configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.
Creating a site in IIS in Windows 2003
The https options are only available after running selfssl (see below).
Creating a site in IIS in Windows 2008
Follow the procedures as explained in "Creating a single HTTPS web site on Windows 2008" and add one port binding each for HTTP and HTTPS.
Testing access to the new HTTPS web site.
Make a subdomain clientname.hosts.neosys.com
Open "https://clientname.hosts.neosys.com:44XX/neosys" in IE where 44XX is the designated port number
If you get certificate error:
- check that the selfsll /n:CN=clientname.hosts.neosys.com matches the domain name used in IE
- install the certificate into the client computer (double click the padlock, view certificates etc)
Closing all internet explorer versions and restarting is necessary for installed certificates to become effective.
Setting up HTTPS for installations with more than 1 database
In cases where there are multiple databases within the same installation, the website can be made accessible via different URLs, one for each database, like database1.hosts.neosys.com and database2.hosts.neosys.com, though they will finally be pointing to the same website. In order to assign multiple URLs to the same website, simply repeat the steps for creating and binding a HTTPS website for each HTTPS URL that is required.
Creating multiple HTTPS web sites
Bugs
SelfSSL allows only one website to have SSL at a time in Windows 2003. However to avoid any issues in the future the solutions below have been provided for both Windows 2003 and 2008.
IIS Diagnostics Toolkit which has fixed SelfSSL but doesnt allow full control http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx
Solution for Windows 2003
Use selfssl as follows:
"Wizard" in the following means IIS, Web Sites, (website), properties, directory security, server certificate, next, Renew/Remove/Export/Import
Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users. In some cases this isn't easy e.g. Vista.
- delete any existing certificate
- create certificate for a site in SELFSSL following the normal procedure
- export the certificate to a pfx file (Wizard) USE PASSWORD FOUND IN CERTIFICATES FOLDER
- remove the certificate (Wizard)
- import pfx certificate back (Wizard)
Continue adding sites this way and they should work perfectly fine. Just follow the sequence here for each site being added.
NOTE: The EXPORT/REMOVE/IMPORT stage is necessary where there are multiple https sites on one server since any subsequent SELFCERT seems to destroy all other sites done with SELFCERT that have not been exported/REMOVED/imported.
Re-installing Certificates
Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.
Re-installing Certificates from saved PFX files
Just do the first and last steps of the normal installation procedure.
- delete the existing certificate (IIS->Site->directory security->server certificate wizard)
- import pfx certificate (IIS->Site->directory security->server certificate wizard)
Re-installing Certificates from selfssl
Repeat the usual installation method above without missing the delete stage
If users have installed certificates in their browsers then they will have to reinstall them again to avoid the usual "certificate not trusted/matching" type problems.
Solution for Windows 2008
The solution involves generating the certificate and thereafter saving it. Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users.
- Create certificate for a site in SELFSSL following the normal procedure of Windows 2008
- Export the certificate to a pfx file from IIS Manager > Click on Certificate > Export (use the location stated above - password to be set will be in a txt file in the same folder)
- Remove the certificate from IIS Manager
- Import pfx certificate back from IIS Manager
Note: Importing and Exporting certificates in Windows 2008 is just one part of the step to add certificates to sites and you need to follow the usual instructions to "bind" the certificate to a particular site.
Re-installing Certificates
Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.