Using SSL Certificates in Server Core - abcsoftware/abc-docs GitHub Wiki

Version 17

You can visit https://localhost/_debug/caddy on the server for various debugging information about Caddy.

Here is a site that can be used to check the status of a port. https://www.yougetsignal.com/tools/open-ports/

Publicly Accessible

  1. Forward ports 80 and 443 in your router to the ABC Server.
  2. Implement a domain name for the WAN address. An example is abc."businessname".com. The same name needs to work for internal access to the ABC Server.
  3. In the Caddy section of appconfig.json set Public to true and Email to the sysadmin of the company. Example:
  "Caddy": {
    "Public": true,
    "Email": "[email protected]"
  }
  1. If the company was accessed prior to setting public to true, you may need to delete the caddy\certificates\local\{domainName} directory.
  2. Create a rule in the firewall allowing caddy_windows_abc.exe to run.
  3. Make sure the legacy server(s) are using the https and domain name for the Web Server URI.

LAN Access Only

  1. If company public URLs and network DNS records are configured correctly, the server should "just work" out of the box. Caddy will generate a self-signed certificate on the fly.
  2. Copy the caddy\pki\authorities\local\root.crt to each client machine and double click it to import it into User (or local machine) > Trusted Root Certification Authorities.
    • You can also download the root certificate from the _debug/caddy. You will have to first bypass the security warning to be able to access the page. After trusting the certificate, browsers seem to cache stuff and it won't show trusted right away, a hard refresh, restart the browser or passage of time may be necessary.

Full Caddy Configuration in appconfig.json

  "Caddy": {
    "Debug": false,
    "Enabled": true,
    "Public": false,
    "Email": "",
    "Server": {
      "Port": 5017,
      "Host": "localhost"
    },
    "Import": "Caddyfile_custom"
  },

A server restart is NOT required after saving changes to the appconfig.json.

  • Debug will enable Caddy's debug logging. Can be useful for figuring out why certificates are issued, etc.
  • Enabled can be set to false if we aren't using Caddy at all. An example of this may be when a different reverse proxy is taking care of SSL.
  • Public controls if Caddy uses self signed certificates or gets certificates from a trusted certificate authority.
  • Email is the LetsEncrypt account that the certificate is for.
  • Server settings are primarily useful for development.
  • Import will add an import line to the auto-generated caddy file. The value is either the full path to the file or the name of the file in the caddy directory. If this is not a valid Caddyfile, caddy will not start. The use case for this would be if we wanted to use the ABC Caddy instance to reverse proxy to another service in addition to ABC.

Version 16

Using Caddy - 16.7.154 and newer

  1. Forward ports 80 and 443 in your router to the ABC Server.
  2. Implement a domain name for the WAN address. An example is abc."businessname".com. The same name needs to work for internal access to the ABC Server.
  3. Browse to the C:\ABC Software\Server Core 16\caddy folder.
  4. Run the createservice.bat as an administrator. Then open the caddy service in service and check the properties to make sure it is running in this same folder. If it is running in another folder you can edit the createservice.bat file to create the service in this folder.
  5. Copy the caddyfile_template and rename the copy as just caddyfile(no .txt after it).
  6. Open the caddyfile and change the abc.companyname.com to your domain name. Save and close the file.
  7. Create a rule in the firewall allowing caddy.exe to run.
  8. Restart the caddy service.
  9. Edit the legacy server(s) to use the https and domain name for the Web Server URI.
  10. If port 80 or port 443 is being used by another program use this command line to find which program it is: netstat -aon|findstr "80"

Using a Self Signed Certificate

  1. Open PowerShell as Administrator
  2. Run $cert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName <your-dns-name> -NotAfter (Get-Date).AddYears(25) to create the certificate and add it to your local certificate store. Additional DNS names can be added using commas as delimiters. You can view it by clicking "Start" and opening "Manage Computer Certificates". It will be listed under Certificates - Local Computer > Personal > Certificates.
  3. Export your new certificate by running Export-PfxCertificate -cert ('cert:\localmachine\my\' + $cert.Thumbprint) -FilePath "C:\ABC Software\ABC Server Core 16\cert.pfx" -Password (ConvertTo-SecureString '<your-password>' -Force -AsPlainText). You may skip the -Password... portion if you prefer.
  4. Add/Update your appconfig.json Kestrel server block.
  5. Copy the cert.pfx to each client machine and double click it to import it into User (or local machine) > Trusted Root Certification Authorities.

Using Origin Certificate from CloudFlare.

  1. Go to your CloudFlare dashboard and get the certificate and private key text blocks and save them into .key and .crt files.
  2. Use OpenSSL to convert the files to a pfx file: openssl pkcs12 -export -out <your_new_file_name>.pfx -inkey <private_key_of_your_existing_certificate>.key -in <your_existing_certificate_file>.crt
  3. Add/Update your appconfig.json Kestrel server block.

appconfig.json

"Kestrel": {
    "Endpoints": {
        "Https": {
            "Url": "https://<your-dns-name>"
            "Certificate": {
                "Path": "C:\\ABC Software\\ABC Server Core 16\\cert.pfx",
                "Password": "<the password you specified>"
            }
        }
    }
}

Using Let's Encrypt - Not Applicable Anymore

Let's Encrypt is a nonprofit Certificate Authority providing TLS certificates to millions of websites for free. Server.Core supports auto configuring and renewing SSL certificates from Let's Encrypt. To enable this:

  1. Forward ports 80 and 443 in your router to the ABC Server. Here is a site that can be used to check the status of a port. https://www.yougetsignal.com/tools/open-ports/
  2. Implement a domain name for the WAN address. An example is abc."businessname".com. The same name needs to work for internal access to the ABC Server.
  3. Copy the LettuceEncrypt section of the appsettings.json file into appconfig.json and add your DNS name to the DomainNames array.
  4. Add email address. (as shown in the file snippet below)
  5. Enable the https endpoint in the Kestrel section. (as shown in the file snippet below)
  6. Edit the legacy server(s) to use the https and domain name for the Web Server URI.
  7. Restart the Server.Core service.

appconfig.json

{
  "ConnectionStrings": { 
    "DefaultConnection": "Server=localhost;Port=4012;Database=abcserver.core_v16.5;User Id=postgres;Password=123456;"
  },
  "Kestrel": {
    "KnownProxies": [
       "127.0.0.1"
    ],
    "Endpoints": {
      "Https": {
        "Url": "https://abc.abc.dev"
      },
      "Http": {
        "Url": "http://abc.abc.dev"
      }
    }
  },
  "LettuceEncrypt": {
  // Set this to automatically accept the terms of service of your certificate authority.
  // If you don't set this in config, you will need to press "y" whenever the application starts
  "AcceptTermsOfService": true,
  // You must at least one domain name
  "DomainNames": ["abc.abc.dev"],
  // You must specify an email address to register with the certificate authority
  "EmailAddress": "[email protected]",
    "CertificateLocation": "C:\\ABC Software\\certificates",
    "CertificatePassword": "xQT9iVMOhUPM5BjOf16d5RLk13Dyb7"
  }
}