Serving verification files from memory and Static files in IIS

hunnypuppy · July 30, 2020, 6:12pm

I’ve searched the forum on how serving verification files from memory works when using IIS but I can’t seem to find an answer to this one. I’m using WACS in windows with IIS 8

As I understand with the previous versions (winsimple) I know that the verification files were stored in a .wellknown folder and one needed to configure the IIS server to serve Static files otherwise it won’t be able to verify that the files were written.

Now with the new WACS (v2 lets encrypt) there’s a new feature I’m using, Serve verification files from memory. What I’m trying to find out is so I still need allow IIS to serve Static files / files without extensions or can I disable that (since it’s a security issue)?

JuergenAuer · July 30, 2020, 6:13pm

Hi @hunnypuppy

please explain that.

hunnypuppy · July 30, 2020, 6:15pm

If static files are configured in the IIS handler configuration it allows people to “guess” a filename and then access them from the a browser (IIS will serve them). I’m facing this issue currently and would like to disable the Static file handler but am worried that it’ll break lets encrypt renewal (current set to using the memory option as explained above).

JuergenAuer · July 30, 2020, 6:23pm

That’s wrong. If the file doesn’t exist, nothing happens, a http status 404.

If you save important files in your webroot, you should change that.

That’s only a problem if there are much more critical problems.

PS: Server-Daten allows extensionless files (that’s an IIS). Try it with the “check-your-website”.

hunnypuppy · July 30, 2020, 6:31pm

That’s not an option unfortunately. Some ASP.NET projects keep files in the root by default. I want to restrict them. I appreciate your comments however this is outside the scope of my original question.

My original question was related to the working of lets encrypt and it’s requirements. Do I need to enable Static file handler while using the “Serving verification from memory” option to renew certificates? I just need to know so I can configure IIS accordingly. If it’s required I’ll leave it on, if not I would prefer to disable it. Thanks.

hunnypuppy · August 1, 2020, 9:56pm

Any thoughts on if it requires static files configured to work with the memory option?

hunnypuppy · August 5, 2020, 4:55pm

Oddly interesting, no one knows the answer to how serving verification files from memory works.

JuergenAuer · August 5, 2020, 5:03pm

You are misunderstanding something complete.

This

isn’t defined. It’s a global configuration question, not, if there is a file or an application answer. Or better: Every “file answer” is an application answer that loads that file.

So the answer isn’t relevant. It’s your configuration that works or that doesn’t work. And no one knows your configuration.

hunnypuppy · August 5, 2020, 5:10pm

Thanks for the response. So what information would need to provide to help you understand my setup which then hopefully will help me answer my question about static files.

I’m not clear about your statement about “file answer” above means exactly. My understanding of how WACS works is that it authenticates with Lets Encrypt for a particular site and then it needs to provide a unique key back to lets encrypt which needs to be publicly accessible (that’s about the extend of my basic understanding), which is turn is served by IIS (or not?)

JuergenAuer · August 5, 2020, 5:51pm

You don’t know the basics. Check it. If it works, be happy. If not, be unhappy.

I don’t know your configuration, I don’t know your running application. So it’s completely impossible to know an answer. And it’s not my job to analyze your curious problem because you are not willing to use the standard solution - allowing extensionless files.

That’s a self produced problem - so find a solution or accept that there is no solution.