ARR, HTTPS Offloading, Central Certificate Store [Answered]RSS

2 replies

Last post Oct 14, 2019 07:47 AM by Chris Becke

  • ARR, HTTPS Offloading, Central Certificate Store

    Oct 11, 2019 10:17 AM|Chris Becke|LINK

    I am trying to use the Central Certificate Store to handle SSL offloading.

    There is already an ARR server directing traffic for foo.example.com and bar.example.com on http, so dns and all that is working.

    So, to make https work:

    I have created _.foo.example.com and _.bar.example.com and placed both in a certs folder.

    I added san:dns=foo&dns=foo.example.com&dns=*.foo.example.com and similar to the bar when I requested each cert.

    I enabled Central Certificates and pointed it at this folder and it shows me the certificates and their details.

    When I point my browser at https versions of the sites it doesn't even try and connect and immediately resets the connection.

    I don't even know where to look. I suspect theres something wrong at the http.sys level but I don't know how to check how http.sys routes into IIS when Central Certificates are being used.

    help!

  • Re: ARR, HTTPS Offloading, Central Certificate Store

    Oct 14, 2019 02:26 AM|Jalpa Panchal|LINK

    Hi,

    To configure ARR to support SSL offloading:

    • On the ARR machine, open the IIS manager.
    • Open the ARR server farm and double-click Routing Rules.

    • Make sure the Enable SSL offloading checkbox is selected.

    also, check that you added https binding with the correct certificate.

    SSL for Web Sites on Windows Server for Hosting Service Providers

    SSL off-loading in Application Request Routing

    Regards,

    Jalpa

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: ARR, HTTPS Offloading, Central Certificate Store

    Oct 14, 2019 07:47 AM|Chris Becke|LINK

    The dirty secret of ARR is that the global rules rely on having at least one web site configured.

    Typically this is done on the "Default Site".

    Typically you want an http binding *:80:

    and, to make use of Centralized Certificates, an https binding of: *:443: - which is, unfortunately, not possible to create in the GUI.

    Because the CLI is less fussy you can do it directly using AppCmd to create the https binding in IIS and netsh to associate the central cert store.

    appcmd set site /site.name:"Holding Site" /+bindings.[protocol='https',bindingInformation='*:443:',sslFlags='3']

    netsh http add sslcert ccs=443 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

    Do note that wildcarding https like this means it will pick a random cert from the central cert store in the case a match is not found. 

    Here's how it *would* be configured in the GUI if the damn OK button would enable itself when the hostname field was blank:-

    How it looks