Setting up Slackin using Azure and Let’s Encrypt

So I started the sw-dotnet-developers slack (https://sw-dotnet.uk/) a week or so ago, and quickly realised I needed some kind of self registration system to avoid me having to send off invites to everyone, which would become boring very quickly.

I did some searching and found Slackin – a little server that enables public access to a slack server – awesome! It even has an Azure Deploy setup – literally click on one link and fill in some details to get it installed.

image

NB – I had to use the ‘latest’, not ‘stable’ release to get it to work.

Once that’s up – you suddenly notice that it’s https only, so time to generate an SSL Certificate. Initially I went down the route of using StartSSL – I’ve used them before and it’s worked, and actually had it running for a week or so on a StartSSL cert – until someone at a meetup said the cert had been revoked.

Odd.

On Chrome, IE etc all was ok, but Firefox was having none of it. (because)

Now, it was suggested to me to ignore Firefox (the language used was a bit more fruity than that) but I think if an organisation is trying to make the web safer, who am I to disagree!

Did I mention - I’m also cheap.

StartSSL is free, hmmm what to do. As luck would have it, Troy Hunt (security superhero) posted a blog about getting Let’s Encrypt working on Azure. Handy.

There are a few things which have changed in between that post and now, so let’s cover them:

1. Resource groups no longer have the ‘people’ icon – you have to now click on the ‘Access Control’ menu option instead:

image

2. Tip to find the site extensions – look in the top menu – I spent a while hunting this out – in fact I added it via the ‘Extensions’ bit of the website in the Azure Portal.

3. The LetsEncrypt Extension has some extra features:

image

This one being nifty – fill in the details and have it save them to the app for you, to be honest, I had mixed mileage with this, from scratch – it didn’t work – but it would work once it had recognised the app config stuff there.

4. When first generating the cert, it’s worth using the ‘IsStaging’ setting to make sure it’ll work.

When it doesn’t work

Having followed the post, and got to the generate SSL cert bit – I got an error. Uh oh. The error message you get informs you where you need to go on the Lets Encrypt site and get the error. I was getting:

The key authorization file from the server did not match this challenge

And when I look at the URL it’s trying to get to, I can see it’s an http location.

But slackin automatically redirects to https.

But the url is http.

So, off I go to get the web.config file from the server.

Slackin is a node project (or so I assume – not being a nodey person myself) and has this rule in it’s config:

<rule name="DynamicContent">
  <conditions>
    <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
  </conditions>
  <action type="Rewrite" url="bin/slackin"/>
</rule>

Which I think redirects pretty much everything to ‘bin/slackin’, so as I see it, the let’s encrypt server is always being redirected to the wrong place.

So I’ve added this rule:

<rule name="LetsEncrypt" stopProcessing="true">
  <match url="^.well-known*"/>
   <action type="Rewrite" url="{REQUEST_URI}"/>
</rule>

Which looks for a URI coming in to the ‘LetsEncrypt’ extension and does no url re-writing. A quick upload of this web.config, and re-attempt the ‘get cert’ bit of the process. This time it works!