In this tutorial, you will learn how to configure Umbraco to work using HTTPS. Getting Umbraco to work over HTTPS is relatively straight-forward. The first thing that you will need is an SSL certificate. There are a number of different ways of purchasing an SSL certificate, I tend to use, SSL.COM.
To generate a certificate you will need to generate a CSR. A certificate signing request (CSR) is a key that you generate from within your own hosting companies control panel. The CSR key is used to associate your domain name with an SSL key. Combined this creates an added layer of security, as the SSL cert can only be used with the correct domain.
To generate a CSR you will need to set the common name. The common name will be the domain name AND its qualifier.
non-www will be treated differently:
The common name for https://www.website.com would be www.website.com
The common name for https://website.com would be website.com
To make life easier, instead of being forced into picking an option, you can use a wildcard for the common name like this,
*.website.com. Using a wildcard is the easiest option and it is the path that I recommend you take. After getting an SSL cert, your next task will be to install it on your web server. The process of how to install a cert will obviously depend on your domain provider, however, the setup should be fairly simple
Configuring Umbraco to work with HTTPS is pretty easy. To make the Umbraco back-end run correctly, within the
web.config ensure that the setting
UseHttps is set to true.
Next, you will need to define a redirect rule that will force anyone who tries to access your site using HTTP to use HTTPS. The rule to do this will look like this:
Another thing you should worth checking is if any hostnames are defines within the culture and hostname section. If your domain has been added, you will need to make sure the correct prefix is added, e.g.
If you use a CDN, like Cloudflare, you will need to make sure that your DNS is set up correctly: There are two things you will need to ensure
The DNS is correct for
non-wwwusing an A-record name and a CNAME:
A-record the server IP. There will only be one A-record
CNAME any alias you use on the site, like `www.website.com', or, 'api.website.com'. This can point to either a hostname or, a hostname
Within the SSL/TLS tab, update your Cloudflare SSL mode to Full strict mode. If you do not do this then you will get an infinite redirect
If you encounter redirect issues, a useful tool you can use to debug issues is called https://redirectdetective.com. This tool will map out all the re-directs it encounters. This is handy to quickly visualize if you are getting successful 301s or unexpected 303 errors
If you encounter a redirect error. Create a simple HTML page and upload it to your website, like so:
If the page loads then you have a Umbraco issue. If it does not you have a DNS issue.