Now that I've got your attention, the astute reader may have noticed that (at the time of writing), this blog is not using TLS. That's because we currently sit on a shared hosting plan on Azure which does not support certificates for custom domains. So there, that's one excuse (which we will be rectifying shortly). But other than that, after reading this post you won't have any excuses.
Update
Thanks to Justin's comment below, even our one excuse was not a good enough reason to not have TLS. You guys really are the best.
Recently I moved an old website that I run in my basement to a new install Windows VM (cheap plug alert; get free e-books at bookgoldmine.com) and thought it would be a good idea to get a tls certificate, particularly on Windows Server 2016.
Why use HTTPS on a website that has no sensitive information?
Bookgoldmine.com, like most other websites, has no sensitive information on it. No logins or anything of the sort. So why bother with a secure connection? Lots of reasons:
The two major roadblocks to TLS, like most things in life, have traditionally been time and money. Obtaining a certificate takes time and requires some skill. Though the price of certificates has been coming down, requiring someone to take out their wallet is a roadblock, particularly for owners of smaller websites.
Let's Encrypt
Let's Encrypt is an open certificate authority (CA) that seeks to rectify both of those problems. It's free and automatic. You can't ask for much more than that. Ok, well I can, because for as wonderful of a service they provide, their certbot does not run on Windows. Luckily, there's a handful of 3rd party implementations that do.
letsencrypt-win-simple
https://github.com/Lone-Coder/letsencrypt-win-simple is a .net client built around ACMESharp, which is a library that implements the ACME (Automated Certificate Management Environment) protocol, which is what makes all of this so easy to use. We really are standing on the shoulders of giants, and I thank all of the people that have built up this fantastic stack.
This tool is so simple to use, I almost feel silly writing the following how-to guide. But I have a quota to fill, so I will. Note that there are plenty of ways to use the tool, but I will be covering the easiest.
- Download the executable to your server. Or build it yourself, you rebel.
- In a command prompt, go to the the letsencrypt path you chose in the previous step, and type letsencrypt.exe
- Either select the host you're interested in, or type A for all hosts
- The tool creates a scheduled task to renew your certificates, which have a rather short shelf life (3 months). You'll be asked if you want to change the user it runs as. I selected "No"
- In Windows Task Scheduler, notice the new task "letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org." Out of the box this task will only run if the user is logged in. I'm never on my server, so this won't work for me; so either select a system user like SYSTEM, or select "Run whether user is logged in or not" and type your password in. If your password changes regularly the latter option is not a good one.
Yay! We have https! But users have been going to my little website for 10 years now, so no one will actually go to the https version. We'll want to redirect them. Using the power of grayskull webconfig,
we can do this easily. In the <system.webServer> section, copy and paste the following:
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent"/>
</rule>
</rules>
</rewrite>
Update
As Seferan pointed out below in the comments, for the above to work you need to have installed the rewrite module. As always I appreciate the feedback!
And that's all there is to it. So what are you waiting for, secure that website!