Let’s Encrypt – Zero SSL Online Wizard

 

Background

In this exercise we will use ZeroSSL Online Wizard to process a new Let’s Encrypt SSL Certificate.

Glossary

Name Definition Other Name Link
Certificate Signing Request In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).  Link
CSR
 Domain Validated Certificate  A domain-validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the identity of the applicant has been validated by proving some control over a DNS domain.

The sole criterion for a domain-validated certificate is proof of control over a domain. Typically control over a domain is determined using one of the following:

a) Response to email sent to the email contact in the domain’s whois details
b) Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
c) Publishing a DNS TXT record
d) Publishing a nonce provided by an automated certificate issuing system

 Link
 Intermediate Certificate Intermediate certificates are used as a stand-in for our root certificate. We use intermediate certificates as a proxy because we must keep our root certificate behind numerous layers of security, ensuring its keys are absolutely inaccessible.

However, because the root certificate itself signed the intermediate certificate, the intermediate certificate can be used to sign the SSLs our customers install and maintain the “Chain of Trust.”

Installing Intermediate Certificates
After your SSL certificate is issued, you will receive an email with a link to download your signed certificate and our intermediate certificates.

How you install the certificates depends on the server software you use. In most cases, you can download and install an intermediate certificate bundle. However, for some server types you must download and install the two intermediate certificates individually. Please refer to the Install SSL certificates for the specific process you should follow.

 Link

Let’s Encrypt – Client Option

From the list of Client Options for Let’s Encrypt, we have ZeroSSL.

ZeroSSL Windows

ZeroSSL has two options for utilizing ZeroSSL on Windows.

One option is through scripting and the other is thru a browser based wizard.

Because of reasons that we will have to cover in another post, our only option based on our targeted OS,  MS Windows 2003, is the Wizard option.

Processing

Outline

  1. Using IIS Manager, Request Certificate
  2. Using IIS Manager, Configure virtual folder
    • .well_known\acme-challenger
      • Mime Type ( extension-less files )
  3. Access ZeroSSL’s Website
    • Access Wizard
    • Submit Request
      • Paste generated CSR unto right side of request
      • Receive Domain Certificate
      • Press OK
    • Verification Process
      • Select Verification process ( HTTP or DNS )
      • Process Verification
    • Receive Certificates
      • Machine Certificate
      • Certificate Authority Certificate
  4. Using IIS, Accept Certificate
  5. Using IIS, Review Accepted Certificate

Request Certificate

Hopefully, you have already installed IIS on your targeted machine.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Server Certificate” window appears
      • Choose the “Create a new certificate” option button
    • The “IIS Certificate Wizard – Delayed Or Immediate Request” window appears
    • The “IIS Certificate Wizard – Name and Security Settings” window appears
      • Change Certificate Name from “Default” to friendly,  pertinent name that will make it easy to associate and identify later
      • Change Bit Length from 1024 to 4096
    • IIS Certificate Wizard – Organization Information
      • Entered “Organization” Information
      • Entered “Organization Unit” Information
    • IIS Certificate Wizard – Geographical Information
      • Choose Country
      • Entered State
      • Entered City
    • IIS Certificate Wizard – Certificate Request File Name
      • Enter a filename to save the “Certificate Request” file under
    • IIS Certificate Wizard – Request File Summary
      • Review Request Summary

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Server Certificate

IIS Certificate Wizard – Delayed Or Immediate Request

IIS Certificate Wizard – Name and Security Settings

IIS Certificate Wizard – Name and Security Settings – Initial

IIS Certificate Wizard – Name and Security Settings – After

IIS Certificate Wizard – Organization Information

IIS Certificate Wizard – Geographical Information

IIS Certificate Wizard – Certificate Request File Name

IIS Certificate Wizard – Request File Summary

IIS Certificate Wizard – Completing the Web Server Certificate Wizard

Configure .well-known\acme-challenge

Steps

  1. Using Windows Explorer or Command Shell, create new folder under the root folder
    • Example
      • c:\inetpub\wwwroot\.wellknown\acme-challenge
  2. Register new mime-type for extension-less files
  3. Validate extension-less files are handled
    • Temporarily enable directory browsing
    • Create extension-less files under .wellknown\acme-challenge
    • Using web browser access folder and access extension-less files

Images

acme-challenge Properties

acme-challenge Properties – Mime Types – Adding Extension-less file

acme-challenge Properties – Mime Types

Validate Extension less file are handled

Access ZeroSSL Website

https://zerossl.com/free-ssl/#crt

Details

Outline

On the Details Tab

  • Enter fields
    • Email (optional)
      • Email to correspond and inform of pending expiration
    • Paste your Let’s Encrypt key
      • If you already have a Let’s Encrypt Key, please paste it
    • Domains ( Only if you have no CSR)
    • Paste your CSR or leave it blank to generate
      • We have a CSR we generated using IIS Manager
    • Verification
      • Verification Choices
        • HTTP Verification
        • DNS Verification
      • We chose HTTP
    • Accept ZeroSSL TOS
    • Accept Let’s Encrypt SA (PDF)
  • We pasted the generated CSR
  • And, clicked on the Next button
  • Account Key
    • The system stays busy for a while, as the Account Key is generated
    • Once generate the Account key is placed in the Account Key text box
  • Click the next button

Image

ZeroSSL : Free SSL – Home Page

ZeroSSL : Free SSL – Free SSL Certificate Wizard

Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details  – CSR Pasted

CSR Pasted

Here we paste the “Certificate Request” ( CSR ) we generated earlier.

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Generate Account Key

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Account Key Generated

Verification

Verification  – Guidance

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Domain Name
  • Filename
  • File Content

Screen Shot

Verification – Initial

Verification  – Implementation

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Access WebSite root folder
    • Usually C:\inetpub\wwwroot
  • Create sub-folder .well-known \ acme-challenge
  • For each domain
    • Create file
    • Add file contents

Verification – Created File

Verification – File Contents

Verification – Link Clicked

Certificate

Outline

On the Certificate Tab

  • Information
    • Certificates good for 90 days
    • Keep the following keys for when you renew
      • Let’s Encrypt Key
        • Certificate Authority Key
      • CSR
        • Host specific
  • Download
    • Two keys are availed as text
      • Host Assigned Cert
      • Issuer Cert
    • Depending on your targeted purpose, you have choices
      • IIS
        • For IIS, you can download the entire block inclusive of begin and end marker and save as one file

ScreenShot

Your Certificate is Ready

Certificate Text

Receive Certificate

In this section, we use IIS Manager to receive the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Pending Certificate” window appears
      • Choose the “Process Pending Request and install the certificate” option button
    • The “IIS Certificate Wizard – Process a pending Request” window appears
      • A lone text box asking for the certificate filename
        • The filename being asked for is the one generated by our Certificate Authority ( CA )
            • Enter or paste the file name
            • Or click on the browse button to navigate the File System ad select the file
    • The “IIS Certificate Wizard – Process a Pending Request – SSL Port” window appears
      • Accept or Change the SSL/HTTPS Port Number
    • The “IIS Certificate Wizard – Process a Pending Request – Certificate Summary” window appears
        • Review the Certificate Summary
          • Issued to :-
            • Internet :- FQDN
            • Intranet :- Computer Name
          • Issued By :-
            • Let’s Encrypt Authority X3
          • Expiration Date :-
            • For “Let’s Encrypt Authority X3”, 3 months from Issue Date
          • Intended Purpose :-
            • Server Authentication
            • Client Authentication
          • Friendly Name
            • Friendly Name
      • The “IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard” window appears

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Pending Certificate Request

certReceived_PendingCertificateRequest_20170720_1148PM

IIS Certificate Wizard – Process a Pending Request

certReceived_ProcessAPendingRequest_20170720_1149PM

IIS Certificate Wizard – Process a Pending Request – Browse

certReceived_PendingCertificateRequest_Open_20170720_1150PM

IIS Certificate Wizard – Process a Pending Request – File Selected

certReceived_ProcessAPendingRequest_20170720_1150PM (Brushedup)

IIS Certificate Wizard – Process a Pending Request – SSL Port

certReceived_PendingCertificateRequest_SSLPort_20170720_1151PM

IIS Certificate Wizard – Process a Pending Request – Certificate Summary

certReceived_PendingCertificateRequest_CertificateSummary_20170720_1152PM (BrushedUp)

IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completing_20170720_1152PM

IIS Certificate Wizard – Process a Pending Request – Completed Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completed_20170720_1153PM

Review Certificate

In this section, we use IIS Manager to review the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “View Certificate” button
  4. The “Certificate” window appears
    • Window – Certificate // Tab –  General
      • Issued To
      • Issued By
        • Let’s Encrypt Authority X3
      • Valid from
        • Valid from Begin to End Date
        • In our case 7/20/2017 thru 10/18/2017
    • Window – Certificate // Tab –  Details
      • Issuer
          • Let’s Encrypt Authority X3
      • Valid from
      • Valid To
      • Subject
        • Common Name
      • Public Key
        • Length
        • Integration Guide
          Link

          • Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length
        • In our case 4096
    • Window – Certificate // Tab –  Certification Path
      • Certificate Path
        • Issuer
        • Issued To
      • Certificate Status :-
        • This certificate is OK

Certificate – View – General

certView_General_20170720_1143PM (Brushedup)

Certificate – View – Details

certView_Details_20170720_1154PM - (BrushedUp)

Certificate – View – Certificate Path

certView_CertificatePath_20170720_1154PM (BrushedUp)

References

  1. GoDaddy
    • IIS 8/Windows Server 2012: Generate CSRs (Certificate Signing Requests)
      Link
  2. Certificate Requests
    • Specifications
      • Bit Length
        • Integration Guide
          Link
        • Is it possible?
          Link

NetBalancer – v5.2 – Windows Server 2003

Background

Confessionally, I am stuck on MS Windows 2003 on my Lab computers.

I like it and it works well.

Just like that other guy who stayed on Windows XP.

 

ISP

Paying Me

Either way my ISP is being letting me know that I only have 2 months grace.

And, after this last month, they will be charging me every time I go over my allotted Network.

 

ISP Help

Tried to get them to help me to locate which server, what type of traffic, and which hosts I was talking to.

But, 3rd level support, kept asking me to just go up to next tier.

And, also less I forget, wanted me to get off my router and get on theirs.

 

Tools for Computer Network Monitoring

MS Windows 2008 comes with a nice Resource Monitor tool that allows one to monitor Network Usage at the individual process level.

Again, unfortunately, MS Windows 2003 does not come with Resource Monitor.

 

Networking Monitoring for Windows 2003

Thankfully found NetBalancer by SeriousBit.

 

 

NetBalancer

Download List

Here is the download list for NetBalancer from here.

 

Version

v5.2.1

Unfortunately, for MS Windows 2003, I have to use v5.2.1.

 

Downloaded & Installed

Downloaded & Installed it.

 

Usage

 

DNS

System Traffic

Image

Explanation
  1. Please review Current, Average, Maximum, Total
    • Broken down by Download & Upload
  2. Process Name
    • svchost.exe

 

Process Info

Image

 

Explanation
  1. Name : dns.exe
  2. Version :- 5.2.3790.4957 (srv03_sp2_gdr)
  3. File Creation Time :- 1/30/2012 4:39:57 AM
  4. Company :- Microsoft Corporation
  5. Started at : 4/2/2017 9:00:11 PM
  6. Parent :- services.exe ( 488 )

Connections

Image

Explanation
  1. TCP
    • We are listening on one of the Ports
  2. UDP
    • We have several UDP ports are just waiting to be used

 

TroubleShooting

Stats

Count Number of Ports assigned to DNS

Code

netstat -anb | find /I "dns.exe"  /c


netstat -anb | find /I "dns.exe"  /c

Output

Configuration

How many DNS Ports are we configured for

Code

dnscmd /Info /SocketPoolSize

Output

 

Summary

It does not seem that the DNS Server is the source of our network hog.

Chrome on Older OSes ( MS Windows 2003 )

Background

One of the side-effects of auto-updated software such as Google’s Chrome is one no longer has access to the Install Binaries.

If you find yourself needing to download and install Google Chrome on an out of service OS, please take to the Internet and search out an offline installer.

Here are ones I have found for the last available version of Chrome for MS Windows 2003.

BTW, the version for MS Windows 2003 is 49.0.2623.112.

 

Download Links

Version = 49.0.2623.112

Installers

Web Site Write Up Targeted OS Media
offlineinstallerfilehippo.com Link
 x32 Link
 x64
Link
Software Mirrors Link  Link
Filepuma
 x32  Link

 

 

 

Application Files

The media listed here are not the actual installers, but the application files themselves.

 

The app files are bundled into a self ex-tractable exe.

Web Site Write Up
SlimJet  Link

 

 

SlimJet

Here is how SlimJet describes its delivery mechanism:

Link
The old versions of Chrome are packed as 7zip self-extracting executable. Just run the executable and extract the files under any folder on your hard drive. Then launch Google chrome with chrome.exe under the extraction folder.

SlimJet has files for the following OSes:

  • Microsoft ( 32 bit and 64 bit)
  • Linux ( Ubuntu & Debian )
  • Mac OS

Older Versions

Web Site Write Up Versions Available
Old Versions Link Google Chrome 0.2.149.27 Beta – 46.0.2490.80

 

 

 

SQL Server 2008 R2 – Best Practice Analyzer – StorPort Driver – Out of Date

Background

Troubleshooting performance issues on a MS SQL Server 2008/R2 instance running on a rebuilt MS Windows 2003 box.

And, thought of running Best Practice Analyzer against the instance.

Best Practice Analyzer

Installation

Installed the tool.

Identified Errors and Warnings

Storport driver fix from KBA 940467 missing

Textual


Category: Configuration

Source: localhost

Issue: The storport driver present on this system is below the recommended version 5.2.3790.4133

Impact: Using the existing version of the storport driver can lead to various server instability and integrity issues affecting SQL Server operations

Resolution: For compatibility information, see KB 940467 - http://support.microsoft.com/default.aspx?scid=kb;EN-US;940467 and then, install the new version of the driver

Visual

StorportDriverFixFromKBA940467Missing

Hotfix

Here is a short list of storport hotfixes released in 2007:

  1. Hotfix kb/945119
    • Stop error that is related to the Storport.sys driver on a Windows Server 2003-based computer: “0x000000D1 (parameter1, parameter2, parameter3, parameter4) DRIVER_IRQL_NOT_LESS_OR_EQUAL”
      Link
      Date :- Nov 14, 2007
      Version :-

      • Service Pack 1 – 5.2.3790.3044
      • Service Pack 2 – 5.2.3790.4189
  2. Hotfix Kb/940467
    • MMC stops responding, or you cannot access VDS-dependent tools after you install the Storport storage driver from Microsoft Knowledge Base article 932755 in Windows Server 2003
    • Link
    • Date :- Aug 16, 2007
    • Version :-
      • Service Pack 1 – 5.2.3790.2992
      • Service Pack 2 – 5.2.3790.2992
  3. Hotfix Kb/ 932755
    • An updated Storport storage driver is available for Windows Server 2003
    • Link
    • Date :- Feb 13, 2007
    • Version :-
      • Service Pack 1 – 5.2.3790.2880
      • Service Pack 2 – 5.2.3790.4021

Quick Explanation

  1. KB932755 was released in Feb 2007
  2. It caused some problems and so in Aug 2007, KB 940467 was released to fix those problems
  3. In Nov 2007, KB945119 was released

HotFix Install

Request Hotfix

Visit the listed Microsoft page, and request a download.

Microsoft will send you a link per the requested bitness (32, 64, Itanium) and Language.

Check your email for link and download the patches.

Install Hotfix

Install the downloaded hotfix.

Reboot

As this is heavily used file, you have to reboot your system

Validate Hotfix Install

Device Drivers

Normally, I will say access access “Control Panel\ System \ Device Drivers”, but as this a patch\hotfix, you will not be able to validate via “Device Drivers”.

File System

  1. Launch Windows Explorer
  2. Navigate to C:\Windows\System32\drivers
  3. Select storport.sys
  4. Access the Version tab
  5. In the list of items, choose “File Version”
  6. We have “5.2.3790.4189 ( srv03_sp2_qfe.071114-1205 )

storport

References

Microsoft

  1. Analyzing Storage Performance using the Windows Performance Analysis ToolKit (WPT)
    Link
  2. A hotfix is available that improves the logging capabilities of the Storport.sys driver to troubleshoot poor performance issues for the disk I/O in Windows Server 2008
    Link

3rd Party Vendor – Netapp

  1. List of required hotfixes for Windows Server
    Link

File System Filter Drivers

  1. Is there a quick way to see what File System Filter drivers are loaded on Windows
    Link

Installed Drivers

  1. Nirsort
    Link