Non-iis http-01 challenge response

While digging into managing SSRS certificates, I spent a bit of time on using powershell to serve the http-01 challenge response, as my SSRS 2017 server does not have IIS installed. (SSRS was switched to HttpListener a few releases ago)

Ultimately I was able to use dns-01 as my domain is on cloudflare, but it could be useful for Certify the Web to provide some kind of temporary hosting for http-01 challenges, either directly in the app, or by a “On-request” powershell script. I was able to successfully serve a challenge request with this script:

# Http Server
$http = New-Object System.Net.HttpListener

# Hostname and port to listen on

# Start the Http Server 

# Log ready message to terminal 
if ($http.IsListening) {
    #write-host " HTTP Server Ready!  " -f 'black' -b 'gre'

while ($http.IsListening) {
    $context = $http.GetContext()

    # http://./.well-known/acme-challenge/configcheck
    if ($context.Request.HttpMethod -eq 'GET' -and $context.Request.RawUrl.StartsWith('/.well-known/acme-challenge/')) {

        # We can log the request to the terminal
        #write-host "$($context.Request.UserHostAddress)  =>  $($context.Request.Url)" -f 'mag'

        $fileName = $context.Request.RawUrl.Split('/')[-1]

        # the html/data you want to send to the browser
        [string]$html = Get-Content "C:\scripts\certifytheweb\.well-known\acme-challenge\$fileName" -Raw
        #resposed to the request
        $buffer = [System.Text.Encoding]::UTF8.GetBytes($html) # convert htmtl to bytes
        $context.Response.ContentLength64 = $buffer.Length
        $context.Response.OutputStream.Write($buffer, 0, $buffer.Length) #stream to broswer
        $context.Response.OutputStream.Close() # close the response

1 Like

This looks great however Certify 4.x already has a built in http challenge listener which temporarily spins up to answer http challenges, so technically IIS is not required either, although i the original versions IIS was the main focus.

How do you use the built in Http challenge listener? I see it’s enabled in my options, but there’s nothing in the Authorization settings that are intuitive for it.

If you have it enabled under Settings and you are performing an http challenge it will be used automatically unless it fails to bind the listener (usually if a non-http.sys server is running on port 80). It sits in front of IIS etc. It was added because getting IIS to serve the extension-less txt challenge response is a bit hit or miss depending on the web app config.