Non-iis http-01 challenge response


#1

While digging into managing SSRS certificates, I spent a bit of time on using powershell to serve the http-01 challenge response, as my SSRS 2017 server does not have IIS installed. (SSRS was switched to HttpListener a few releases ago)

Ultimately I was able to use dns-01 as my domain is on cloudflare, but it could be useful for Certify the Web to provide some kind of temporary hosting for http-01 challenges, either directly in the app, or by a “On-request” powershell script. I was able to successfully serve a challenge request with this script:

# Http Server
$http = New-Object System.Net.HttpListener

# Hostname and port to listen on
$http.Prefixes.Add("http://rs.yourdomain.org:80/")

# Start the Http Server 
$http.Start()

# Log ready message to terminal 
if ($http.IsListening) {
    #write-host " HTTP Server Ready!  " -f 'black' -b 'gre'
}

while ($http.IsListening) {
    $context = $http.GetContext()

    # http://./.well-known/acme-challenge/configcheck
    if ($context.Request.HttpMethod -eq 'GET' -and $context.Request.RawUrl.StartsWith('/.well-known/acme-challenge/')) {

        # We can log the request to the terminal
        #write-host "$($context.Request.UserHostAddress)  =>  $($context.Request.Url)" -f 'mag'

        $fileName = $context.Request.RawUrl.Split('/')[-1]

        # the html/data you want to send to the browser
        [string]$html = Get-Content "C:\scripts\certifytheweb\.well-known\acme-challenge\$fileName" -Raw
        
        #resposed to the request
        $buffer = [System.Text.Encoding]::UTF8.GetBytes($html) # convert htmtl to bytes
        $context.Response.ContentLength64 = $buffer.Length
        $context.Response.OutputStream.Write($buffer, 0, $buffer.Length) #stream to broswer
        $context.Response.OutputStream.Close() # close the response

        $http.Stop()
    }
}

#2

This looks great however Certify 4.x already has a built in http challenge listener which temporarily spins up to answer http challenges, so technically IIS is not required either, although i the original versions IIS was the main focus.


#3

How do you use the built in Http challenge listener? I see it’s enabled in my options, but there’s nothing in the Authorization settings that are intuitive for it.


#4

If you have it enabled under Settings and you are performing an http challenge it will be used automatically unless it fails to bind the listener (usually if a non-http.sys server is running on port 80). It sits in front of IIS etc. It was added because getting IIS to serve the extension-less txt challenge response is a bit hit or miss depending on the web app config.