Azure Web Apps and Buying an SSL Certificate

Published On: 2020-10-26By:

Every website needs to have an SSL Certificate these days. When you run your website on a Virtual Machine getting the cer or crt file from the company that you purchase an SSL certificate from is easy. When you are using an Azure Web App this isn’t always as straight forward as you can’t just log into the VM and create the CSR to upload to the company that you are purchasing the certificate from.

The first step will be to install openssl on your computer as you’ll need to have that installed. I recommend the full install of it, it’ll make your life easier. Once openssl is installed find the OpenSSL Command Prompt on your start menu (it’ll look something like this).

Once you have a command prompt open you’ll need to use openssl to create the private key as well as the CSR that you will need to give to the company that you purchase the certificate from. This is done using the below command.

openssl req -new -newkey rsa:2048 -nodes -keyout {key file} -out {CSR file}

Once that’s done you can purchase your certificate from your preferred company and send them the CSR file that it created by the command above. Once that happens the certificate company will send you a few certificate files. In my case, I purchased our SSL certificate from DigiCert, and DigiCert sent me three files.

Each of these files needs to be opened in Notepad and the text copied into a new file. The order of the data should be your actual certificate (www_dcac_co.crt in my case), then any intermediate certificates (DigiCertCA.crt in my case), then the root certificate (TrustedRoot.crt in my case). This file should look something like this.

—–BEGIN CERTIFICATE—–

<your entire Base64 encoded SSL certificate>


—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<The entire Base64 encoded intermediate certificate>

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<The entire Base64 encoded root certificate>

—–END CERTIFICATE—–

After this is done, save the file (I called is dcac.crt). Then use openssl to convert this merged file and your key file that you created with the first openssl command into a PFX file, which I called dcac.pfx using the openssl command below. Openssl will ask you to enter a password to secure the file.

openssl pkcs12 -export -out dcac.pfx -in dcac.crt -inkey {Key file}

Once you have the PFX file go to the Azure portal and navigate to the Web App that needs the certificate. Select the TLS/SSL menu option and the TLS/SSL blade will open. Once the blade opens select the “Private Key Certificates” option and then select the “Upload Certificate” option.

In the menu that opens, select the PFX file that was created and enter the password that you entered when creating the PFX file (if you forgot the password that’s fine just run the final openssl command again). Once the file is uploaded select the “Bindings” tab again, and bind the correct websites to the certificate that you just imported.

That’s it, the next time someone views your website, they will see the new SSL certificate.

Denny

Contact the Author | Contact DCAC

Azure Site to Site VPN Blocking Some Traffic

Published On: 2020-10-19By:

I ran across an interesting a couple of weeks ago when working with a client. The client has several subsidiaries each with their own vNet. The client had a site to site VPN been the Azure vNets. All traffic was successfully crossing the Azure Site to Site VPN as expected. The sticking point was that a software licensing server running in one of the subsidiaries Azure infrastructure configurations. The software licensing software simply wasn’t working.

We fired up Wireshark on Azure VM which was running the software as well on the Azure VM which was running the licensing software. In Wireshark on the VM running the software, we could see the software trying to talk to the licensing software. On the licensing server, we could see the connection request come in, and we could see the response from the licensing software going back to the client. But we looked on the VM running the software we couldn’t see the packet coming back from the licensing server. So the network traffic was simply getting blocked, somewhere. We didn’t have any network security groups set up, and we didn’t have any software firewalls in place. So nothing should be blocking traffic.

We looked at the response that was coming from the licensing server, and it had the DoNotFragment bit set on the response network packet. Now the sure weird thing is that the packet was only 1430ish bytes in size. So it would have fit within the 1500 byte packet, so there was zero chance of the packet being fragmented. But the bit was being set within the vendor’s software, so we didn’t have any way to remove that flag.

We were able to fix it, by changing from a Site to Site VPN to a peered network connection between the two vNets. Changing the network connection to a peer allowed the software licensing process to work as expected and solved the problem.

So if you have software which requires the DoNotFragment bit in your connection, then an Azure Site to Site VPN isn’t going to work for you. If you are doing everything in Azure a peer can work while a Site to Site VPN doesn’t work.

Denny

Contact the Author | Contact DCAC

5 Steps to Make WordPress Faster

Published On: 2020-10-12By:

If you’ve been working with WordPress for a while now, you know that it’s a pretty solid platform for blogging, posting content.

However, the WordPress database was clearly made by developers and there wasn’t a DBA involved. And this isn’t just WordPress, but this goes for some of the plugins as well.

I’ve got Query Monitor installed on our WordPress installation, and it pops up with slow queries every once and a while. So I figured that I’d look at the queries, and look at the indexes on the database and see what I can do about this.

Needless to say, there’s a few indexes that needed to be added.

I’m assuming that you are using the prefix wp_ on all your tables, which is the default. If you are using a prefix other than this, you’ll need to adjust this index creation scripts.

The first one is against the wp_options table.

create index dcac_option_name_autoload on wp_options (option_name, autoload);

The next one to create is against wp_term_taxonomy.

create index dcac_taxonomy on wp_term_taxonomy (taxonomy, term_taxonomy_id, term_id, parent, count, description(400));

The third index to be created against one of the WordPress tables is against the wp_terms table.

create index dcac_name on wp_terms (name, term_id, slug, term_group, term_order);

The fourth index and fifth indexes that I’ve found that you need to create are actually against one of the Yoast plugin tables, but since most people have the Yoast plugin installed, you’ll want this index as well.

create index dcac_id_permalink_update_at on wp_yoast_indexable (id,  permalink(10), updated_at);
create index dcac_object_type on wp_yoast_indexable (object_type, object_sub_type);

These indexes should help your WordPress system work more efficiently as it will be easier for the MySQL database that is behind your WordPress database to be able to find the data that it needs to in order to run your website.

None of these indexes are going to shave seconds on your page load times, but if they each save 100-200 milliseconds off your page load time, that’s close to a second total, and that’s a decent amount of time for queries that happen on each page load.

As I run across more indexes that need to be created, I’ll post them as I can.

If you aren’t sure how to run MySQL scripts against your database, there’s a variety of ways so if you aren’t sure how to run SQL scripts against your WordPress database, check with your hosting provider.

Looking to move your WordPress website to Microsoft Azure? The team at DCAC can help you migrate to a Cloud Services solution.

Denny

Contact the Author | Contact DCAC

UniFi Routers, VMware vSphere and vLAN Fun

Published On: 2020-10-05By:

Recently we upgraded the networking in our CoLo from our existing horrible, not all the features work correctly, bought off eBay NetGear switches to a brand new (actually purchased new) Ubiquiti network stack. We went with Ubiquiti because they have a really good reputation, they have a fantastic price point, and the UI is really simple to use while giving us all of the features that we were looking for.

Like any good IT deployment, we hit a snag when we were pushing out out network configuration. All of our servers have 10 Gig network cards in them, and our SAN also has 10 Gig network cards for our NFS shares (we are a VMware vSphere shop), so we have a storage network. We also wanted to put our VMs on the 10 Gig cards, as they were on 1 Gig ports before and we wanted them to have more bandwidth available to them.

In the UniFi software on the Ubiquiti equipment has two different networking setups. The base network which we setup as our management network. Then any other subsets that need to be setup are configured, but they require a VLAN to be configured. We had a few networks to setup, and those were our Infrastructure network which we gave a VLAN of 4 to, our Storage network which we gave a VLAN of 5 to, and our lab which we gave a VLAN of 100 to.

Our VMware servers all have a dedicated NIC which we are using for our Management ports, so we didn’t need to have the Management network be accessible from the NIC that the VMs were going to use. Within the UniFi software I created was is called a port profile which can contain a variety of subnets. This way a single switch port can be on multiple subnets, which was exactly what I wanted. I wanted the 10 Gig ports and their NICs to be on the Storage, Infrastructure, and Lab networks. So I created a single port profile with all of these subnets in it. As you can see from the screenshot below, when you do this you select a netive network for the port profile.

After I got this setup, I was getting weird responses from the VMs and the VMware hosts that were trying to talk to the storage. I put VLAN Ids in VMware or all these networks as well, but things still working talking correctly.

It turns out, that whatever network you have configured as the native network, within VMware this means that you don’t put a VLAN ID for it. So in my case the storage network within VMware does not get a VLAN ID, while the other networks do; even through the storage network has a VLAN ID of 5 within the UniFi OS.

Once I did that, the storage for the VMs was able to talk perfectly and all the VM Subnets worked as expected.

Denny

Contact the Author | Contact DCAC
1 2 3 364

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner   Denny Cherry & Associates Consulting LLC BBB Business Review    Microsoft MVP    Microsoft Certified Master VMWare vExpert
INC 5000 Award for 2020    American Business Awards People's Choice    American Business Awards Gold Award    American Business Awards Silver Award    FT Americas’ Fastest Growing Companies 2020   
Best Full-Service Cloud Technology Consulting Company       Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers