Moving to SSL / HTTPS

Recently I have walked the talk and have moved my personal site to HTTPS.

Although I have already moved, redirected and configured many many web front end to use SSL, I haven’t got around to implement this to my own websites. In comparison, my site is not a transactional site or doing any registration – I only use this as my portfolio site as well as a live test environment where I can experiment, learn, validate and do pretty much everything without any impact to anyone but me.

There are a lot of articles here, herehere, here, here and there regarding the pros and cons of having a site over HTTPS.  Basically from what I am reading now is it has an additional cost and additional load but it has to be done.

And thanks to modern tech, the move is fairly easy:

  1. Choose your CA. – Validation and Order
  2. Create CSR – Using a tool or MMC / Inetmgr
  3. Install PFX to your website. – Azure Website Basic Tier and Above.
  4. Auto redirection – using IIS URL Rewrite Rules (Azure) with a demo of TFS Online 🙂

So here’s my contribution to the secure modern web! Happy SSL!

image_thumb[5]_thumb

So this exercise got me thinking, we are really in the age of the cloud service already. From requesting certificates to installation, scaling my application and even a source code rebuild-test-deploy scenario and I haven’t touched not a single MMC or any server directly. The old concepts are there from web deploy about file being used or using a IIS manager to request for a CSR and fulfilling the certificate request but in a modern way. Difference is I used to do MSTSC but now, I am talking to the web browser. This could have taken days to do or even weeks not to mention there would be misconfiguration from my end but now, I am up and running “as I wish”.  Hmm. 🙂

Moving to SSL / HTTPS-PART 4

“We deprecated the hosted XAML build controller on July 1st 2017. We recommend that you migrate to our new build system. However if you still need to run XAML builds during the migration then you must set up a private XAML build controller now”.

Yes yes. I forgot to upgrade. Lets move on.

So in order to do publish, we just need to login to our visualstudio.com account and go to the project that we need to publish.

There is a tab called Build and Release, and there should be an Azure web app template.

A

Once applied, you need to first choose which Solution to build and deploy, kinda like WEBDEPLOY before.

B

Then we need to link our azure account and then choose which app service to deploy on.

C

The link happens when you authorize your visual studio by logging in to your azure account. Note that this is a pop-up.

D

Then click refresh if you dont see your app service on drop-down.

E

Then viola, you can now save or save and then already queue for deployment.

G

This should queue up and warm up an available agent again, like WEBDEPLOY before.

H

Once the Agent fires-up the deployment, you will notice that the scripting engine and console is going to be shown and you will see the progress of this.

I

Aha! You are still using WEBDEPLOY! Long live web deploy!

J

NOOOOOOO! Okay, new Relic is giving me a bump. Like the old WEBDEPLOY, file is in used so therefore you cant override and your deployment task will fail.

K

As I remember, its just as easy as:

<EnableMSDeployAppOffline>true</EnableMSDeployAppOffline>

Or we could just easily do a slot deployment and switch slots after . I just remembered that I am on B1 tier in Azure. There is no slot deployment for that! Great.

I remembered, this is my PERSONAL site, no one visits this or any use of this. Lets just stop the site.

So lets do this, lets insert two deployment task in the build definition. One to stop and one to start, effectively a sandwich before and after deployment. So add an Azure App Service Manager task.

L

The first one, stop the App Service. You know which subscription and app service to stop.

M

After the Azure Service Deployment task, we should start the service.

N

Lets try it out, save the build definition and queue build!

O

Aha! Stop worked!

Q

Publishing.. Yes!

R

Build says its okay and was deployed successfully.

image

This got me thinking, we are really in the cloud already and from requesting certificates to installation, scaling my application and even a source code rebuild-test-deploy that I haven’t touched not a single MMC or any server directly.

Moving to SSL / HTTPS-PART 3

Azure Websites Basic Pricing Tier (SSL Support)

So you now have an SSL Certificate? Lets install it to your Azure Website. I distinctly remember, in order for you to have a custom domain (without the .azurewebsite.net), you have to be in the D1 Shared instance in which I am right now.

So from D1 Shared, I upgraded to B1.

23

24

Once upgraded, you can now go the SSL settings. You can search it thru the web app settings and in there, click Upload Certificate.

25

Now remember the PFX file that we created on the earlier part? Use that and use the password that we added when we exported the PFX.

26

27

28

Still within SSL settings, we now have to bind the uploaded SSL with the domain that we want to secure. Click SSL Bindings.

29

Choose the SNI SSL after using the hostname and certificate name combination. Then click Add Binding.

30

So that’s it, in just 3 easy steps we already have a working SSL Certificate bound to our site.

31

Now to check, lets go to https://www.johndelizo.com/ using chrome and IE.

32

Valid certificate! Sweet!

33

But our old http only site is still active. So we may need to automatically redirect visitors from http to https. Rewrite should do this. Lets edit web.config!

So my TFS Online is linked to my Azure Websites. I already have a redirect before and should be a fairly easy web.config change, build deploy.

35

Oh no. I got a message: “We deprecated the hosted XAML build controller on July 1st 2017. We recommend that you migrate to our new build system. However if you still need to run XAML builds during the migration then you must set up a private XAML build controller now”.

36

I cant believe I never got around to update my own build! Okay, no time to waste, lets just create a new build definition. Stay tuned for part 4.

Moving to SSL / HTTPS–PART 2

On this Part 2: We are going to get our CER and PFX to be used for Azure.

Create Certificate Signing Request

There is a tool available thru Digicert website or you can do it manually over IIS. Since my target is to install this in Azure, I chose to use the tool they provided.

1

Lets use a Windows PC. So I will not have IIS Manager access to my Azure Website so we need to generate the certificate and then install it.

2

Download the tool, extract and run.

3

4

Click the SSL Certificate tab and click Create CSR.

image

This reminds me of the IIS Manager Create Certificate Request action but it should be straight forward. Click SSL and then make sure that your info is correct. Then click Generate.

6

Then copy the result to a notepad or clipboard can be enough.

7

Login back to your Digicert account and click the status of your order. There should be a Pending CSR there.

8

This opens up a pane and you can paste the CSR here.

9

I chose IIS 10 and then clicked continue.

10

Then viola, CSR Completed. This will then trigger an email where your .CER will be attached.

11

12

Unzip this to get the .CER and some instructions.

13

Go back to the DigiCert certificate tool and then import the CER. You need to get the *PFX out of this CER.

14

Once you clicked next, just enter your friendly name and then finish. It should show on the utility.

15

Like this:

16

Now lets export the PFX, just highlight the certificate and then click Export.

17

Export the private key, use PFX and all path if possible. Click Next.

18

Yes, like the MMC, you need to provide a password since you are exporting the private key as well.

19

Then save the PFX File to a location where you will pick up to install in AZURE.

20

You can now close this tool. Thanks DigiCert!

22

Moving to SSL / HTTPS–PART 1

Certificate Authority

For my CA I got DIGICERT (https://www.digicert.com) thru the MVP Program and got the SAN Certificate that can be used on multiple domains. 

A free alternative will be Let’s Encrypt (https://letsencrypt.org/) however you may need to use an Azure Site extension for this. 

I got started with Digicert by signing-up and then do the verifications. For me I was asked with only two requirements:

  • I have a currently active government issued photo ID (Suggest you don’t black out the address) that has your name, address and expiration date.
  • That you have control or ownership of the domain – They will send a link thru your postmaster emails. Be sure to check if these are active.

admin@<YOURDOMAIN.COM>
administrator@<YOURDOMAIN.COM>
webmaster@<YOURDOMAIN.COM>
hostmaster@<YOURDOMAIN.COM>
postmaster@<YOURDOMAIN.COM>

I must mention that they have a phenomenal customer service and will follow-up thru phone and email on your certificate order and help you on the requirement.

After the verification they will send you an emails confirming the verification. Got a personal email from an Engineer and the automated email. Mine just took a few hours after I did the requirements and I was able to continue with creating a CSR.

image_thumb[7]

How to apply license on SCOM 2016(fwlink 74446)

Today I had a chance to revisit my SCOM Lab. But after booting everything, I noticed that even if all services are running including SQL and SCOM, the Ops Manager console throws an error on connecting.

TL;DR; My trial license is expired. Use Powershell to apply license:

  • Import-Module OperationsManager
  • Set-SCOMLicense –ProductId “<YOUR PRODUCT KEY>”
  • Restart-Service OMSSDK
  • New-SCOMManagementGroupConnection
  • Get-SCOMManagementGroup | Format-List –Property SkuForProduct, SkuForLicense, Version, Name, TimeOfExpiration

Long story, so will I reinstall today? So normal troubleshooting after seeing the error, restarting the services including SQL Server and nope, no joy there.

Going back to the console, thankfully there is a stack trace there. So lets read thru the errors, mostly access denied exception but there was the ex.message.toString there. So we have hopes here.

It seems that there was an access denied exception but the inner message is saying “You have exceeded the evaluation period of this product. Please upgrade to the retail version to continue using the product” Aha! I followed the link and it seems that it only redirects to a generic product page. Still no joy.

image

There are a few TechNet and Support articles out there, but there’s one problem. License IS expired already.

https://support.microsoft.com/en-ph/help/2699998/how-to-add-a-product-key-to-the-eval-version-of-system-center-2012-ope

https://technet.microsoft.com/en-us/library/hh966734(v=sc.12).aspx

Problem is we cant connect to the management group, because, yes we have an exception. Yikes.

image

I think the article is a little off, since applying SCOM licenses are thru registry access so it shouldn’t require any connection.

So first, run PowerShell as an administrator on the server where SCOM is installed.

Apply the license key that you have for retail. (See TLDR section for Copy-Paste PS> commands)

Also remember also to restart the System Center Data Access Service after applying the license. Included in TLDR.

image

Try out the new connection and try and poke the management group and get the license details.

Then try and connect using the Console. Yes its working, but my apps are not.

image

So there ya go, and I’m back to my DevOps management group. I’m trying out the new MP for .NET APM with Application Insights. This is going to be fun. Well after we fix DB01. Should blog about it later.

Philippines Community Leaders Meetup with Microsoft MVP’s

banner

So I had a chance to attend this meetup hosted at Fairmont hotel last December 6.

WP_20161210_15_16_29_Pro

Got to meet new faces and met some older (much older) ones. Its an exciting time to work with these fellow leaders, especially on the OSS community here in the Philippines.

coms

So thanks to Microsoft PH DX and our South East Asia Lead for inviting us and meeting us also in the event. Hope you guys can fly back here and see you guys soon!

MVP

Side by Side comparison of Windows Server 2016 Installation Memory Utilization (Hyper-V)

So I have 3 freshly installed Windows Server Virtual Machines with nothing installed but the base operating system. These are running on Windows 10 Enterprise with Hyper-V.

1. Windows Server 2012 R2 (GUI)

2. Windows Server 2016 (GUI)

3. Windows Server 2016 (Core

image

image

image

These virtual machines are on a strict memory diet Smile I have configured all three to have 32mb available RAM but on dynamic memory.

image

With no user logged-in and with only default services running, here are the results:

image

We see that the Windows Server 2016 Core installation runs at 454 MB next to it is the GUI for 2016 then finally at 692 MB for 2012 R2.

Now with Administrator Logged-in:

image

Now with Administrator Logged-in but closing server manager for virtual machines with GUI installed.

image

Trying to install IIS on all three VM using PowerShell:

image

image

After Installation:

image

I also tried browsing the default web site installation of each IIS as seen on this screenshot and here’s the memory assignment from Hyper-V:

image

I’m signing out of the server to make sure no UI is running or services other than the web server that we have just installed.

image

*Launches 3 Visual Studio 2015 and creates 3 web performance test projects*

I have created 3 simple load test from Visual Studio to simulate browsing to the websites. If you are familiar with Visual Studio impremise load test, you will notice that the scenario is a single webtest that will be invoked multiple times by a load test. The multiplied scenario is a just basic web request.

image

Lets run the load test:

image

We are running the load test for 5 minutes:

image

And after a few more minutes:

image

I want you to draw your own conclusions based on the data that I have shown in this blog. I also wanted to publish the Load Test Results, but thats for another time. Until then, see ya!

image

The movable cloud

I am moving my blog from this platform to this platform. Its more modern world where-in you can move from one PaaS to another. And I am inviting you to come with  me on this journey, bring snacks. Only snacks this will be quick but I’d pace my posts this time to allow context and to allow me be on a project today which is another beauty of the cloud. I am not lifting any servers today,

image

This will be a four part story on how to migrate your WordPress content to Microsoft Azure Web App.

Part 1: Exporting Content (TODO)

Part 2: Creating a Web App (TODO)

Part 3: Importing Your Content (TODO)

Part 4: Customizing Your Site (TODO)

How to disable clutter [Fixed]

Send Grid never failed me, I had never used the plain’ol SMTP way back when I started using Azure. But today, I have been pulling my hairs out because it seems my password reset is not sending any email.

I checked, double checked my IIdentityMessageService implementation and I know this works. I changed to my personal Office 365, refreshed it again and still no avail. But wait, what is this? Clutter. Clutter is a feature already as described here.

image

To turn this off, go to your Mail options by clicking the cog in the right hand corner and then click  options.

Navigate to Options > Mail > Automatic Processing > Clutter.

image

Uncheck “Separate items identified as clutter. Then click save.

image

There ya go, now back to the forgot password thingy.