-
Notifications
You must be signed in to change notification settings - Fork 5
advanced iis express ssl and host name setup
You should now be able to run UCosmic on localhost over HTTPS using port 44376. However, this is not the preferred way to develop UCosmic.
The following steps are based on Scott Hanselman's excellent description of how to run IIS Express using SSL over port 443. If you read that article, the following steps are based on the "Ninja Way". You might also want to check out Scott's MIX 11 video where he touched on this (I was in the front row for that presentation because I got there late, and regard it as the best material of the week).
These steps are a bit out of order from Scott's article: we're going to import a couple of SSL certificates first. In the Etc folder of the source code, you will find 2 PFX files: UCosmic Development Root CA.pfx and wildcard.ucosmic.com.pfx. We are going to import those into your Personal Certificates store.
Click the windows start orb and type "mmc". In the search results, click mmc.exe to start it, and click yes to run it with elevated privileges. Click File > Add/Remove Snap-in, select Certificates from the list on the left, and click the Add > button. In the Certificates snap-in dialog, select the "Computer account", click Next, ensure the "Local computer" radio button is selected, and then click Finish. Finally, click OK to add the snap-in to the console.
In the left column, expand Certificates (Local Computer) > Personal and select the Certificates folder. You should already see at least 1 certificate here for localhost -- this is the SSL certificate used by IIS Express when running over port 44376. With the Personal > Certificates folder selected, click Action > All Tasks > Import from the console menu bar. This will open up the Certificate Import Wizard. Click Next.
Click the Browse button next to the File name text box and browse to the UCosmic source code Etc folder. Change the drop down menu next to the File name text box from "X.509 Certificate (.cer;.crt)" to "Personal Information Exchange (.pfx;.p12)". Double click the UCosmic Development Root CA.pfx file to open it, then click Next. The password for this private key is pw. Check both boxes to mark the key as exportable and include all extended properties, then click Next. On the next screen, select the "Place all certificates in the following store" radio button, and make sure the Personal Certificate store is selected. Click Next and then Finish to complete the SSL certificate import process.
Follow the same process to import the wildcard.ucosmic.com.pfx file. When you are finished, your Personal Certificates store should contain 2 new certificates: UCosmic Development Root CA, and *.ucosmic.com. The last thing you need to do is start up an administrative command prompt and run the following command to register the wildcard certificate thumbprint with IIS Express:
netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash=118107675d865c7d6473289bffa5270e780f8da6
If you are running these commands from the VS PowerShell command line, the above requires a slight syntax tweak:
netsh http add sslcert ipport=0.0.0.0:443 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=118107675d865c7d6473289bffa5270e780f8da6
If you ever need to unregister the UCosmic wildcard certificate with IIS Express, you can do so with the following command. The certificates can also be deleted from the mmc.exe console.
netsh http delete sslcert ipport=0.0.0.0:443
Let's also get this step out of the way, because it requires a reboot before it will take effect. Click the Windows start orb and type "notepad". In the results, right click Notepad and then click "Run as administrator". In Notepad, click File > Open and then navigate to C:\Windows\System32\drivers\etc. Change the drop down menu next to the File name text box from "Text Documents (.txt)" to "All Files (.*)". You should then see a file named "hosts" without a file extension. Double click that file to open it in Notepad.
Add a new hosts entry to resolve the host develop.ucosmic.com to 127.0.0.1. The following is what the bottom of my hosts file looks like:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 develop.ucosmic.com
This step was touched on but not fully covered in Scott's article. Basically, we will access UCosmic in development using the URL https://develop.ucosmic.com instead of HANSELMAN-W500. When you are finished, save the file in Notepad, reboot your machine, and return to this page to continue with the next steps.
After you reboot, start Visual Studio and open your IIS Express applicationhost.config file. Go to the section where you previously added the https binding for port 44376. Modify the bindings section to include 2 new bindings for the custom host, one for http over port 80, and another for https over port 443:
<bindings>
<binding protocol="http" bindingInformation="*:1976:localhost" />
<binding protocol="https" bindingInformation="*:44376:localhost" />
<binding protocol="http" bindingInformation="*:80:develop.ucosmic.com" />
<binding protocol="https" bindingInformation="*:443:develop.ucosmic.com" />
</bindings>
Technically, you could start IIS Express at this point and view the app in your browser using the urls http://develop.ucosmic.com and https://develop.ucosmic.com... if run Visual Studio as an administrator. To check it out, go ahead and close Visual Studio, reopen it as an administrator, open the solution and start it. (Note that you will see warnings that the SSL certificate is not trusted. We will deal with this in a later step.)
IIS Express can start up these custom hosts without administrative privileges, but it requires an extra (one time) step. Fire up a command prompt as administrator and run the following 2 commands:
netsh http add urlacl url=http://develop.ucosmic.com:80/ user=everyone
netsh http add urlacl url=https://develop.ucosmic.com:443/ user=everyone
Now if you run Visual Studio as a normal non-elevated user, IIS Express will start up and you can navigate to UCosmic with the URL's http://develop.ucosmic.com and https://develop.ucosmic.com. You will still see SSL warnings at the https url, but we will get rid of these soon.
If you ever need to delete these urlacl reservations, you can do so with the following process:
- Fire up an administrative command prompt.
- Run the following command:
netsh http show urlaclThis will list out all of the urlacl entries for your machine. It should contain 2 entries for develop.ucosmic.com, one for http, and another for https. - Run the following 2 commands:
netsh http delete urlacl url=http://develop.ucosmic.com:80/netsh http delete urlacl url=https://develop.ucosmic.com:443/
- Finally, run
netsh http show urlaclagain to confirm that the entries are no longer on your machine.
At this point, running UCosmic over http on port 80 should work great. However those annoying browsers keep warning you that the site's SSL certificate is not trusted. To work around this in Firefox, you will have to add a security exception for https://develop.ucosmic.com. For all other browsers, we're going to follow the advice of Scott's article, but with a twist.
You may remember we imported 2 SSL certificates, where as Scott's article only creates one. The UCosmic setup is slightly different; instead of having a single SSL certificate for the host name develop.ucosmic.com, we have a Root Certification Authority (Root CA) along with a wildcard certificate issued by the Root CA. This means you only need to drag the UCosmic Development Root CA certificate into the Trusted Root Certification Authorities folder. You can leave the *.ucosmic.com certificate in your personal certificate store.
UCosmic should now willingly go to https://develop.ucosmic.com without any fuss.
<< Back: Before you run the solution | Next: Extra Credit: Access from another machine >>