To enable https connections to our websites we need an SSL certificate. You can buy certificates through specialized companies: Certificate Authorities. Getting a fully validated business wildcard certificate will set you back hundreds or thousands of dollars.
We're running on the cheap, and without a load balancer we cannot get a free SSL certificate through AWS.
"Public SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application." https://aws.amazon.com/certificate-manager/pricing
That leaves us with the option to generate them manually through Let's Encrypt. I found an application that does make creating certificates really easy by providing a GUI.
Go to https://certifytheweb.com/ and download the Certify SSL Manager.
Run the installer and install.
When you first open the program you're asked to fill in some basic information, like your name and contact information.
Click the New Certificate button in the top left corner of the screen. Give you certificate a name. We'll take
*.jodibooks.nl for this example. The asterisk shows us it's a wildcard certificate.
In the Add domains to certificate box type
jodibooks.nl and add domains, followed by
*.jodibooks.nl and add domains. The program will show a notification we have to use DNS to verify the domain, OK. Lastly choose your preferred domain to show on the certificate.
Go to the IAM console in AWS. Go to users and Add user. Add the user name
ACME-DNS with Access type Programmatic access.
In the next step click Attach existing policies directly and search for
Route53FullAccess. Select it and click Next.
Press Next again after adding optional tags and clikc Create user.
Save the credentials and leave the browser tab open for a moment.
Go back to Certify and go to Authorization on the right. Change the Challenge Type to
dns-01 and the DNS Update Method to
Amazon Route 53 DNS API.
Now add new credentials and enter the Credential name
ACME-DNS-EXAMPLE or just
ACME-DNS and the credentials you just made.
Click the 3 dots ... and choose the hosted zone. In my case
Click the Test button in the top-right of the window. Certify will start testing if it can add the necessary DNS records in Route 53.
Close the Test Progress_and go to Other Options in the right menu. I increased the _CSR Signing Algorithm to ECDSA P-256. The higher the more secure, but probably also more CPU intensive. Press the Request Certificate button.
Certify goes to work. It can take a while, as the DNS records need to be propagated. Just be patience and a few minutes later you have a wildcard certificate. Note that it will expire in 89 days, but that auto renewal is enabled.
Certify will have automatically created https-bindings to all your website in IIS with the
*.jodibooks.nl domain. What IIS doesn't do yet is redirect users from http to a secured https connection. To do that we have to configure HSTS in IIS.
Open IIS Manager and select your website. Now all the way on the right, near the bottom there is a link to HSTS... Scan for the Configure heading to find it.
Enable it obviously, set a Max-Age to at least
10368000 seconds (120 days) and ideally to
31536000 (one year). Now also enable the other options: IncludeSubDomains, Preload and Redirect Http to Https. Repeat for all your websites.
Source for HSTS Max-Age on Qualys security labs blog: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
With that our ASP.NET websites are running. In the next part a bonus feature: a WordPress blog on a super fast Ubuntu LEMP stack.