Category Archives: SSL

UrlRewrite: SSL for Free Manual Verification Rule

2017 has really been the year when SSL implementation on websites has taken off. Google’s near requirement of them for SEO has forced many websites to implement some form of SSL certificate. For small personal or business, the biggest blocker for SSL hasn’t been the actual installation but the cost. Although prices have fallen, some website owners still resist forking out £30 for an SSL certificate especially if their site doesn’t actually process sensitive data.

Thankfully, SSL For Free has stepped into the fray providing free SSL certificates from the LetsEncrypt Certificate Authority.

To obtain a certificate from SSL for Free, it is necessary to verify your domain. You can do this either via FTP, DNS or manual verification. I often go the manual verification route as I find it to be faster and simpler to accomplish.

With manual verification, it necessary to download a small file to your website which SSLforFree looks for. If your site is already running in SSL and/or only accepts SSL requests, manual verification will fail as it would appear that SSLForFree only checks for the file via HTTP.

To avoid messing with IIS configuration, the simplest away around this is to use a UrlRewrite rule that acts as a pass through for verification requests:

1
2
3
4
5
6
7
<rule name="SSLForFree Pass Through" stopProcessing="true">
  <conditions logicalGrouping="MatchAll">
    <add input="{URL}" matchType="pattern" pattern="^\.well-known/acme-challenge/(.*)" ignoreCase="true" />
    <condition scope="serverVariable" index="SERVER_NAME" test="matchRegex" value="localhost|127\.0\.0\.1|::1" negate="true" />
  </conditions>
  <action type="redirect" redirectType="307" url="http://{HTTP_HOST}{HTTP_X_ORIGINAL_URL}" appendQueryString="true" />
</rule>

If you are using this rule in conjunction with an HTTP to HTTPS rule (see earlier post), it should be placed before any such rule as manual verification is done through a HTTP request.

Automated Implemention
As side note, users of the SolidCP hosting control panel – as Calzada Media are – can install LetsEncrypt certificates through the hosting control panel. Once issued, SolidCP should automatically renew the certificates every 2 months. A short step-by-step guide on how to install the certificate can be found here.