Question

Photo of Chris Go

0

Letsencrypt SSL Certificate

2

Hi,

Been trying to get the Letsencrypt windows client to work inside RockRMS.  Thanks to Jay Greentree, I have 2 options but they both exhibit the same error which is the the routing inside RockRMS for "static" files.

The 2 tools that I have tried to use:

So the whole concept of Letsencrypt is a semi-automated CA (no manual generation of CSRs, etc.) and the key to this is verifying that you actually own the domain and the way the "clients" do that is to place a text file (no extension) that the Letsencrypt servers can reach from the internet.  If it cannot pull up this file, the ownership of the domain fails, thus no certificate is issued.

So here is the basic process

  • Rock is installed at this URL: http://rock.domain.com (on "root", no sub-directories)
  • Note: http://rock.domain.com is a placeholder :)
  • Run the client (either Plesk extension or Command line from above)
  • It will ask you for the domain name and document root (or web root), hopefully this is setup properly in IIS and RockRMS
  • My docroot is c:\Inetpub\vhosts\vserver435.3essentials.com\httpdocs (using 3essentials.com for hosting)
  • The client will the place a file in c:\Inetpub\vhosts\vserver435.3essentials.com\httpdocs\.well-known\acme-challenge\abcd1234 (note the "abcd1234" is a random string of characters approx 32 characters long).  The file is a text file that contains the same text as the filename
  • This is all automated so there is no stopping the process (or manipulating names, etc.) once it starts 
  • With RockRMS installed on c:\Inetpub\vhosts\vserver435.3essentials.com\httpdocs, the web.config file basically takes over the routing and any hit to the URL (http://rock.domain.com/.well-known/acme-challenge/abcd1234) returns a 404
  • I have been trying to play around with the web.config per the information here: https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/web.config to no avail.  The changes in web.config is basically trying to tell IIS to just return the file as a static file 
  • I have been also trying to copy the Rock web.config <location path="Content"> section also to no avail

Specifically, here is the error

Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Failed authorization procedure. rock.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://rock.domain.com/.well-known/acme-challenge/Agg4gJvEiLLl1bfQ5ui_D6y5b72A280U6AP6eyvKZqY

Questions

  • Has anybody attempted this?  
  • How do you get rock to "ignore" the ".well-known/****" folder and just return it as plain text
  • Not sure how to force all HTTP traffic to go to HTTPS in IIS (that will be a problem for later)

Thank you for any help or any other things I can try to get this to work


Security
  • Photo of Chris Go

    1

    Gave up on this for now, just went to Namecheap for their $9/year Comodo basic SSL certificate.  

    To force all HTTP traffic to go to HTTPS, this works https://kb.plesk.com/en/112135

    Edit web.config

    <?xml version="1.0" encoding="UTF-8"?> 
    <configuration> 
      <system.webServer> 
        <rewrite> 
          <rules> 
            <rule name="http to httpos" stopProcessing="true"> 
              <match url="(.*)" /> 
              <conditions> 
                <add input="{HTTPS}" pattern="^OFF$" /> 
             </conditions> 
             <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Temporary" /> 
            </rule> 
          </rules> 
        </rewrite> 
      </system.webServer> 
    </configuration>
  • Photo of Jim Michael

    0

    There's got to be a way to do this in your current server (like you're trying to do) but I don't know what the secret is, so here's a crazy idea:  you could do the "brute force" method and just temporarily remove the IIS binding of rock.domain.com from your real rock server and quickly add another web site with a binding for rock.domain.com (should take all of a minute) and place the file there.

    The idea here is to just get a server you're in control of at your domain to server up the file and thus validate you own the domain. I don't know much about LetsEncrypt but this assumes this is a one-time process and doesn't need to be performed again every 90 days when a new cert is issued. If that's not the case then this idea wouldn't be worth the trouble.