Setting up HTTPS: Difference between revisions

From NEOSYS Technical Support Wiki
Jump to navigationJump to search
Line 34: Line 34:




== Creating a single HTTPS web site on nl1 ==
== Creating a single HTTPS web site on nl1/nl1b ==


=== Creating a site in IIS ===
=== Creating a site in IIS ===


In order to run on the same port number, IIS sites need either unique ip numbers (set in tcp/http *and* ssh/https settings) or different host header values.
Each client hosted on nl1/nl1b uses the same IP address, but unique https port numbers starting from 4431 onwards. Similarly tcp/https also needs to be configured with unique port numbers starting from 8123 onwards. An updated list of the port numbers in use is updated in the GDocs file "nl1/nl1b port numbers".


Therefore either the ip number has to be one of the available ones provided to neosys by leaseweb etc. or the host header value must be set to '''clientname'''.hosts.neosys.com.
==== Creating a site in IIS in Windows 2003 (nl1) ====


The port number for tcp/http should be the neosys standard arbitrary port of 8123, not port 80 in order to prevent access via standard http. We could use various almost arbitrary ports for http since they are going to blocked by tcp/ip filtering or a firewall but it is better to know that port 8123 is the only one since IIS insists on having some port open for http.
The https options are only available after running selfssl (see below).
 
The https options are only available after running selfssl (see below) at least once on the server.


[[Image:httpadvancedwebsitesetup.png]]
[[Image:httpadvancedwebsitesetup.png]]


=== Install ssl/https on the site. ===
==== Creating a site in IIS in Windows 2008 (nl1b) ====
 
install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en
 
then
 
[[Image:SelfSSL.png]]
 
C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:'''''866651215''''' /p:4430 /n:CN='''''clientname'''''.hosts.neosys.com
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 866651215 (Y/N)?y
The self signed certificate was successfully assigned to site 866651215.
 
/v:9999 means valid for 9999 days
/s:'''''866651215''''' is the site number in this case  (site number is shown in IIS management screen)
/p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443
/n:CN='''''clientname'''''.hosts.neosys.com indicates the full domain name of the site
 
You probably made a mistake in the site number if you get the following message.


Error opening site metabase key: 0x80070003
Follow the procedures as explained in "Creating a single HTTPS web site on Windows 2008"


=== Testing access to the new https web site. ===
=== Testing access to the new https web site. ===

Revision as of 06:28, 16 November 2011

Creating a single HTTPS web site on Windows 2008

Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

However please note that the command is different from the usual one:

Sslwin2008-1.jpg

C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /N:CN=NEOSYS-SERVER /K:1024 /V:9999
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Do you want to replace the SSL settings for site 1 (Y/N)?y
Error opening metabase: 0x80040154
C:\Program Files\IIS Resources\SelfSSL>

Ignore the error.

Next go to the IIS Manager and make sure the certificate was created and stored. Note that creating a certificate does not make it automatically bind to the website.

Sslwin2008-2.jpg

Once you make sure it is created, then click on Sites > Default Website and in the right pane select Bindings:

Sslwin2008-3.jpg

In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and press click on OK:

Sslwin2008-4.jpg

Then test the site from explorer to make sure it works.


Creating a single HTTPS web site on nl1/nl1b

Creating a site in IIS

Each client hosted on nl1/nl1b uses the same IP address, but unique https port numbers starting from 4431 onwards. Similarly tcp/https also needs to be configured with unique port numbers starting from 8123 onwards. An updated list of the port numbers in use is updated in the GDocs file "nl1/nl1b port numbers".

Creating a site in IIS in Windows 2003 (nl1)

The https options are only available after running selfssl (see below).

Httpadvancedwebsitesetup.png

Creating a site in IIS in Windows 2008 (nl1b)

Follow the procedures as explained in "Creating a single HTTPS web site on Windows 2008"

Testing access to the new https web site.

Make a subdomain clientname.hosts.neosys.com

https://clientname.hosts.neosys.com:4430/neosys

If you get certificate error:

  1. check that the selfsll /n:CN=clientname.hosts.neosys.com matches the domain name used in IE
  2. install the certificate into the client computer (double click the padlock, view certificates etc)

closing all internet explorer versions and restarting is necessary for installed certificates to become effective.

Creating multiple HTTPS web sites

Bugs

SelfSSL allows only one website to have SSL at a time

IIS Diagnostics Toolkit which has fixed SelfSSL but doesnt allow full control http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

Solution

Use selfssl as follows:

"Wizard" in the following means IIS, Web Sites, (website), properties, directory security, server certificate, next, Renew/Remove/Export/Import

Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users. In some cases this isn't easy e.g. Vista.

  1. delete any existing certificate
  2. create certificate for a site in SELFSSL following the normal procedure
  3. export the certificate to a pfx file (Wizard) USE PASSWORD FOUND IN CERTIFICATES FOLDER
  4. remove the certificate (Wizard)
  5. import pfx certificate back (Wizard) USE PASSWORD FOUND IN CERTIFICATES FOLDER

Continue adding sites this way and they should work perfectly fine. Just follow the sequence here for each site being added.

NOTE: The EXPORT/REMOVE/IMPORT stage is necessary where there are multiple https sites on one server since any subsequent SELFCERT seems to destroy all other sites done with SELFCERT that have not been exported/REMOVED/imported.

Re-installing Certificates

Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.

Re-installing Certificates from saved PFX files

Just do the first and last steps of the normal installation procedure.

  1. delete the existing certificate (IIS->Site->directory security->server certificate wizard)
  2. import pfx certificate (IIS->Site->directory security->server certificate wizard)

Re-installing Certificates from selfssl

Repeat the usual installation method above without missing the delete stage

If users have installed certificates in their browsers then they will have to reinstall them again to avoid the usual "certificate not trusted/matching" type problems.