Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs
Contact   •   Articles   •   Products   •   Support   •   Search
Ad-free experience sponsored by:
ASPOSE - the market leader of .NET and Java APIs for file formats – natively work with DOCX, XLSX, PPT, PDF, images and more

Using Let's Encrypt with IIS on Windows


Let's Encrypt is a new open source certificate authority that promises to provide free SSL certificates in a standardized, API accessible and non-commercial way. If you've installed SSL certificates in the past, you're probably familiar with the process of signing up for a certificate with some paid for provider and then going through the manual process of swapping certificate requests and completed requests.

Let's Encrypt is based on set of open service APIs that can be implemented on any platform and create certificates for Web servers including IIS. This seems like a fabulous idea, given that securing your site if you have any sort of authenticated access is an absolute requirement. It's not so much the money that's a problem since basic SSL certificates these days even from paid providers are relatively cheap (I use DnSimple both for domain management and SSL certificates), but the fact that you can completely automate the process of SSL creation and management is a huge win. This has both upsides and downsides actually and I'll talk about that at the end of the article. To be clear – I'm not a network admin and I don't have extensive experience managing certificates on a large number of sites so in this post I cover a few basic scenarios that I deal with in my own sites hosted on my own hosted servers.

Windows and IIS – not a first class citizen

I've followed the development of Let's Encrypt with interest, but there wasn't much to try initially as there was no implementation directly available for Windows. Last week I ran into Nik Molnar's post that points at some of the tools available for Windows using PowerShell, the Command Line and even the startings of a Windows UI based tool. Nik then goes on to describe an Azure plug-in implementation that can automatically register and renew Let's Encrypt certificates.

However I was more interested in the IIS pieces rather than Azure as I don't use Azure and  host on IIS, so over the weekend I took these tools for a spin to see what's really involved in getting Let's Encrypt to work with my IIS sites. This posts is a summary of what I found.\

What's available on Windows

As is often the case with open tools, Windows is always the afterthought rather than the norm when it comes to open networking and security tools. So when Let's Encrypt initially went to beta there was no Windows support. However, now that it's been in beta for a while there are a few tools available that provide wrappers for the Automated Certificate Management Environment (ACME) API.

There are a number of options available:

  • **LetsEncrypt-Win-Simple
    **Currently this seems like the easiest solution to getting new Certificates installed into IIS quickly and easily. This Windows Command Line utility includes an 'interactive' mode that lets you pick a host headered Web site on your server and will go out and create the certificate and install it into IIS in one seamless operation. This works great for manual installation or simple scripted installs. It's quick and easy and by far the easiest solution I tried so far.
  • **ACMESharp Powershell Commands
    **ACMESharp is a Powershell library that provides access to many (but not yet all) commands of the ACME API. Unlike the Win-Simple approach using the ACMESharp library requires a bit of scripting you have to write yourself with some logic, but you get a lot of control over the process and the ability to create and save the intermediate certificates.\
  • Certify
    This is a GUI implementation of the ACME API that promises to provide interactive ACME certificate management. Currently this tool is pretty rough, but improvements are coming and each new version seems to improve significantly. It's a great way to visually see certificates and obviously much easier for those that don't want to futz around with lots of command line foo.

To be clear, all of these tools are in very early release stages and so they are a bit rough with features missing… and that's to be expected. This stuff is new. Let's Encrypt itself is in beta and these tools build ontop of that base stack. But nevertheless I was able to use all of these tools  to work to register certificates so you can get started today using Let's Encrypt on your own IIS Web sites.

What's missing in all tools currently is administration. You can't revoke or remove certificates and there's no way to clear out certificates on the remote servers. While testing I ended up hitting a limit of certificates registered on one of my sites and then couldn't go further with that site as I can't remove/revoke any of the certs. Natch.

Because of this, I recommend if you plan to play with these tools, create a new host headered test site or sites with valid internet accessible domain names and play with that site before you update and add certificates to any live sites you care about. Once you figure out how things work it's easy to get certificates installed on a live site.

The Easy Way: LetsEncrypt-Win-Simple

By far the easiest way to create and install a new certificate is LetsEncrypt-Win-Simple. This tool runs from the command line and has a few very easy to understand options. Basically you pick a site from the list of active Web sites using host headers on your server and the utility goes out and creates a certificate for you, creates an https binding and attaches the certificate. If there's already a certificate there the certificate is replaced with the new one.

This tool is basically wrapping up all the intermediate steps of creating a registration, domain and certificate. When you run again later it uses the existing store to retrieve the existing registration and domain information to run a renewal. You don't need to know anything about how the ACME API works or the pieces involved which is nice. Actually I wish I would have looked at this tool first before digging into the lower level tools as I did.

Installation is easy: You can install the latest version from their GitHub Releases page and simply unzip the zip file into a folder. The zip file contains a single .NET executable Console application and the required SSH native debpendencies plus a couple configuration files.

To run it, simply open a command window, CD to the install folder and run:

LetsEncrypt

Here's what the interaction looks like (on my home machine which only has one host-headered site I added for testing):

LetsEncrypt-Win-Simple

(note that the site you're using here has to be internet accessible and you have to run these tools from the machine that will receive the certificate)

If all goes well, you'll end up with a new certificate installed in IIS on the Web site you specified.

SiteBindings

If an existing certificate is installed it will be replaced with the new one. The utility is smart enough to detect existing Let's Encrypt certs and removes the old one and replaces it with the new one leaving only the new one in place. Any other certificates are simply left in place, but are not unbound.

**SNI – Multiple SSL Certificates per IP Address
**Note that IIS by default allows only binding of a single SSL certificate to an IP Address. Starting with Server 2012 IIS support Server Name Indication (SNI) which allows you to bind multiple SSL certificates to a single IP Address. In order for this to work you need to make sure that every site using the same IP Address has the SNI flag checked as shown above. SNI binds the certificate to a host header rather than the IP Address. Note there are issues with SNI support for old versions of IE on Windows XP which won't properly navigate the SSL signature. If that's a problem you will need to stick with IP Bound SSL certificates.

If you open the site in a Web browser you can quickly check to see if the certificate is working, by clicking the secure icon and checking the certificate information. As you can see the certificate is the one created by Let's Encrypt.

Certificate

What's nice is that you can simply re-run LetsEncrypt and it will go out and create a new certificate and remove the old one, so at any time when you need to renew/revoke it's quick and easy to update the certificate as needed.

Yay! This process is pretty straightforward and simple. LetsEncrypt-Win-Simple also has a few command line options that let you automate the domain to create the certificate for and disable prompts so you can automate this process as well. As the name implies LetsEncrypt-Win-Simple is simple without having to understand the gory details of how Let's Encrypt works behind the scenes and unless you have specific needs beyond registration this is the way to go IMHO.

Renewals

LetsEncrypt-Win-Simple also includes an interface to renew all certificates easily. You can run:

LetsEncrypt --renew

and it checks all sites it's managing for expiration dates and if expired (or on the day of expiration) it automatically renews and replaces the old cert with a new one. Nice!

The utility also creates a scheduled task that runs this command once a day and fires update requests. Note you might have to tweak the task User Identity settings as described here to ensure that the user is logged on properly when running the scheduled task. Note that the user is the logged on user because this tool creates the Let's Encrypt vault in a %appdata%\letsencrypt-win-simple which is a user specific profile. It'd be much better if the vault was in a global location like \ProgramData so it can run under any account including system accounts. But that's a minor issue.

Posted in IIS  Security  LetsEncrypt  

The Voices of Reason


 

nemke
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Is it possible to use/install LetsEncrypt with self hosting apps (eg. HttpListener with https support)?

Rick Strahl
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

@nemke - I haven't tried but I'm pretty sure you can as you can use IIS certs for self hosting. I talked about this in this SignalR SSL post: http://weblog.west-wind.com/posts/2013/Sep/23/Hosting-SignalR-under-SSLhttps#FindingtheCertHash

Mike Gale
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for doing the research.

Sensible ways of doing this are long overdue. Hopefully there'll be a production ready API and decent cert lifetimes soon.

Tune
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for the post, Rick!

I'm completely with you: SSL is a must, but SSL is a PITA...
I already use free certs (from StartSSL), but each year I'm confused and it still takes some hours at least to renew the certificates of the websites I host on my IIS server. I'm going to try Let'sEncrypt-Win-Simple and ACMESharp Powershell Commands on a spare domain name and if all works out fine I'll automate the renewal process for *real websites*

Thanks again!

Rick Strahl
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

@Mike - I think the 3 month max period for certs won't change. The idea is to force renewal and new keys to get created. If auto-renewal can be automated it's good practice to frequently renew certificates - less chance of compromise.

Chris Marisic
February 23, 2016

# re: Using Let's Encrypt with IIS on Windows

I believe the real concern for SNI SSL is not Windows XP but Android devices. I believe a substantial amount of Android devices will announce security errors for SNI. http://blog.layershift.com/sni-ssl-production-ready/ personally I still would never use SNI for production. Maybe in another 5 years, the same time span it seems for anything to be usable when it comes to the "world wide" web.

Ian Yates
February 23, 2016

# re: Using Let's Encrypt with IIS on Windows

The short renewal period is so they don't have to maintain big certificate revocation lists. It's not a punishment but rather a cost-saving measure and, as you say, there's less chance of compromise (and in the event of compromise, it won't be in the CRL for all that long).

Gfw
February 29, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for the post, very timely. I used LetsEncrypt-Win-Simple, followed the instructions on a test site and all worked about perfect. BTW... I Also tried Cerify before reading your artile and had the same issue - no certificates were issued/installed.

Question...

What is the issue about not being able to revoke or remove teh certificate once it is issued? Is it something to be really concerned about?

Rick Strahl
February 29, 2016

# re: Using Let's Encrypt with IIS on Windows

@Gfw - I'm not sure about the revokation and limits. I think under normal scenarios this isn't a problem - old certificates should just scroll off. I think this is just growing pains and the .NET/Windows components currently don't support the revocation stuff but I'm sure it's coming. I think the deal is that if you have a problem with a cert you just create a new one as long as you don't have too many for a single domain (I created about 10 in testing I think) I don't think you'll run into this issue, which in a normal use case is pretty unlikely.

Spongman
April 08, 2016

# re: Using Let's Encrypt with IIS on Windows

If you're going to run the renew script every day, why not just have cents that last two days?

Rick Strahl
April 10, 2016

# re: Using Let's Encrypt with IIS on Windows

@Spongman - you're not going to renew every day. The WinSimple task **checks** every day to see if the cert has expired, but it doesn't renew it every day. Renewals aren't fast and there are limits how often you can create a cert for a single top level domain. Nothing wrong with creating new certs more frequently though, but every few days seems overkill.

Rolando
April 12, 2016

# re: Using Let's Encrypt with IIS on Windows

Hello there, so this process (win-simple) is not as easy as it seems. I have attempted numerous times in trying to install the certificate and this is the error I have received. I did go into IIS and moved the static file above the extensionlessurlhandler, so that is correct. The only thing left is the web_config file?? Please help, and let me know if the web config file needs to be updated/corrected, and to what it should be. Thank you very much for your time.

This could be caused by IIS not being setup to handle extensionless static
files. Here's how to fix that:
1. In IIS manager goto Site/Server->Handler Mappings->View Ordered List
2. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
(like this http://i.stack.imgur.com/nkvrL.png)
3. If you need to make changes to your web.config file, update the one
at C:\Users\rolando\Desktop\letsencrypt-win-simple.v1.9.0\web_config.xml

steve
May 12, 2016

# re: Using Let's Encrypt with IIS on Windows

Can this process work with a hosting site that doesn't allow direct IIS access?

Rick Strahl
May 30, 2016

# re: Using Let's Encrypt with IIS on Windows

@Steve - I don't think so unless you build custom tooling. You need to be able to run the LetsEncrypt client from the server you plan to install the cert from so you can prove that you control the domain.

It's possible to set up a server hosted mechanism for this. It'd be nice if a Web based front end could be built to do this - that way you could remotely manage the certificates. Nothing for this yet, but I bet somebody will build this.

Oliver
June 01, 2016

# re: Using Let's Encrypt with IIS on Windows

Rick,

thanks for another great post of yours. I really appreciate the time and effort you put into your research and writing. Your blog is always worth a visit - if it's on Google's first result page that's where I go first for the information I'm looking for.

Keep it up, I'm convinced many other readers appreciate your content at least as much as I do.

Btw, this post helped me quickly set up a TLS certificate in IIS on windows just yesterday :-)

Rick Strahl
June 01, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks @Oliver. I appreciate the kind words. Glad to see my ramblings are useful to some of you :-)

B
July 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Renewals
LetsEncrypt-Win-Simple also includes an interface to renew all certificates easily. You can run:

LetsEncrypt --renew
and it checks all sites it's managing for expiration dates and if expired (or on the day of expiration) it automatically renews and replaces the old cert with a new one. Nice!

The utility also creates a scheduled task that runs this command once a day and fires update requests. Note you might have to tweak the task User Identity settings as described here to ensure that the user is logged on properly when running the scheduled task.


The problem is I cannot find any LetsEncrypt scheduled task, should I create one, and which application should I choose?

Pablo Carrau
September 12, 2016

# re: Using Let's Encrypt with IIS on Windows

I contacted the dev for the Certify program concerning how to handle automated renewals. I suggested adding a command line option to allow us to set a scheduled task. He responded with this:

"At some point in the future I intend to add auto renew as a service to the app. Until then though you could use the ACMESharp powershell scripts (which Certify uses) to script any action you like including renewal."

I'm hoping he develops something soon since Certify has been the easiest way to generate certs so far.

Rick Strahl
September 12, 2016

# re: Using Let's Encrypt with IIS on Windows

@Pablo - unfortunately there are a number of issues with the renewals in Certify. Renewals don't appear to install the proper certificates into the Windows Cert store.

I've actually stepped back from Certify and I'm now using LetsEncrypt-win-simple which seems to be working better with renewals. Recent updates have also made this process much more seamless to get the certs created.

I wish I had time to help out with Certify - it seems such a shame that the project is largely abandoned by the developer (for the same time constraints). It'd be so nice to have a visual way of doing this in addition to the ACME library based solution.

Dan Smith
October 05, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for this blog post. Saved me a few hours going thru the same exercise finding the best method.

Daniel Smith
@databee

Dave Quested
October 11, 2016

# re: Using Let's Encrypt with IIS on Windows

Hi Rick

Thanks for this article, great help.

Have you found a way to use the LetsEncrypt Win Simple manually and automatically add the IIS binding afterwards? Seems like you have to use the --script param somehow?

We basically want to have a go-live process which runs the LetsEncrypt Win Simple manual command and then ensure that a IIS binding / cert is applied for that site.

Possible? I see you've written an article about PowerShell, but can't quite see how to tie it all together. Any help greatly appreciated!

Dave

Michael
November 09, 2016

# re: Using Let's Encrypt with IIS on Windows

Do you know of a way to use let's encrypt for local certificates such as remote desktop? I have self-signed certificates so it is "encrypted", but that pesky warning message pops up every time. Also, is there a way to use LE with Windows Server Essentials Remote Web Access tool?

Rick Strahl
November 09, 2016

# re: Using Let's Encrypt with IIS on Windows

Let's Encrypt really needs a Web site as it needs to validate the website's domain. You can create a certificate through a Web site and then perhaps use the generated cert for other purposes assuming it's the same type of certificate that is compatible.

Pascal
November 14, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks a lot for this post. I used LetsEncrypt-Win-Simple and got my site with a valid certificate in 5 minutes!

I have updated the scheduled task with my local admin user to also work when not logged in. Works like a treat.

The last step for me is now to redirect the HTTP site to HTTPS and let Google know about it.

Really cool, thanks.


NetoMeter
November 27, 2016

# re: Using Let's Encrypt with IIS on Windows

We've tested successfully and published a video for both the Lets-encrypt-simple client and the ACMESharp PowerShell Module.

The Lets-encrypt-simple client seems to be more suitable for installing single domain certificates on Windows servers running IIS. The video instructions are available here:

http://www.netometer.com/blog/?p=1758

The ACMESharp PowerShell module is perfect for the automatic installation and renewal of Exchange Multiple Domain (SAN) certificates - the video demo is available here:

http://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server

In the demo, we are scheduling a task in task scheduler to renew the Exchange certificate and it works flowlessly.

Regards,

Dean


Walt
January 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi.

Thanks much for the post on Let's Encrypt. I am now using LE for a company home page. However, I want to redirect all HTTP traffic to the HTTPS protected web site, and from what I understand, LE uses HTTP to request renewals? Will such a redirection cause issues with the automatic renewal?

Thanks much for any suggestions / help! Walt


Rick Strahl
January 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Walt - I use https redirects and it seems to work. I think for the first registration it has to be http, but for renewal https requests seem to work for me.


Justin Braun
February 01, 2017

# re: Using Let's Encrypt with IIS on Windows

Great article, Rick. Been looking for the best way to do this with IIS going forward. This appears to be the best method at this point. Thanks for digging into it and sharing.


Xiao
February 03, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi

I am trying to do my first renewal but when I use LetsEncrypt --renew it tells me that my cert can't be renewed as it is still valid but when I go to my website my cert has expired.

Any else have this issue? I have 2 sites that are using ssl on my site. I checked Require server name identification.


AlexB
February 13, 2017

# re: Using Let's Encrypt with IIS on Windows

Thanks, I can't believe how easy that was... all those years of struggling.


roy
February 19, 2017

# re: Using Let's Encrypt with IIS on Windows

Xiao, did you fix the issue you had with the renewals ? if so, what did you do to fix it ?


Mike Caldera
February 19, 2017

# re: Using Let's Encrypt with IIS on Windows

Thank you for the Information. I had previously given up trying to install these certificates and converting them to IIS7. The Easy Way: LetsEncrypt-Win-Simple was actually the fastest and easiest for me.

Thank you 1000x time.

Mike


Guillaume P
March 09, 2017

# re: Using Let's Encrypt with IIS on Windows

@Rick Strahl : Walt - I use https redirects and it seems to work. I think for the first registration it has to be http, but for renewal https requests seem to work for me.

https redirect works well for renewal but what will happen when expiration date is reached ? the script handles that with submitting a new challenge request but it might need to do a http request as for the 1st run.

What do you think about it ?


Rick Strahl
March 10, 2017

# re: Using Let's Encrypt with IIS on Windows

@Guilliaume - I know it works because I have LetsEncrypt-WinSimple handle auto-renewals for me on a couple of sites that auto-redirect to https. I think it's only the first registration that has go over http even if a cert is already installed.


NetoMeter
March 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Rick,

I think it's only the first registration that has go over http even if a cert is already installed.

After you create a LE account (that's the first thing the client does) and a private/public key pair which is used for encrypting the communication with LE servers, the registration of the domain names that you need to have included in the certificates is performed, and a successful domain name registration (http-01 validation) with LE is valid for slightly longer than 11 months.

That explains why you don't see http subsequent validations from LE during the certificate renewals while the registration of the Domain Names is still valid - in 12 months, you'll have to perform a new registration (validation) of the names again.

Regards,

Dean


Niko H.
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

Hey Rick!

Great tutorial that you set up here!

I don't find the switch for "including the www." to the certificate. So do I have to install 2 certs for www. and without www. in windows (?) because Plesk on Linux offers the option to do that by cheching a box. Is that a limitation doing that under windows?

Thanks for any help!

Best regards

Niko


Rick Strahl
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

@Niko - yes you have to set up each individual subdomain include www.mydomain.com and mydomain.com.


Niko
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

@Rick Thank you! That means I have to install in this case really 2! certs?


Rick Strahl
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

@Niko - yes, but because you can have certificates auto-renew themselves, having two certificates is really not a problem.


Adrew
April 11, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi, Rick many thanks for the script utility. Is it possible to get a cert for subdomain like ssl.mysite.com?- the utility can't find IIS site with subdomain bindings. Best regards, Andrew


Rick Strahl
April 12, 2017

# re: Using Let's Encrypt with IIS on Windows

@Andrew - that definitely works. Make sure you can see the sites in the IIS Manager. When you run LetsEncrypt-WinSimple it should see and show those sites. Make sure you're running as an Administrator, otherwise you won't have access to the admin objects required to enumerate the Web sites. You also need to make sure you use SNI for each site.


Ben
April 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi Rick

This is a good write-up, thanks.

I am currently setting up a site with two web servers behind Cloudflare loadbalancing (which is still in preview).

I am attempting to set up SSL for these servers using LetsEncrypt-Simple. However, authorisation is failing for server X, since the load balancer is probably routing the request for the answer file over to server Y, and vice versa.

So, my questions are as follows:

  1. How can I set up SSL for all of my web servers behind the load balancer?
  2. How would we configure the renewal process for this scenario?

Thanks


Niko
April 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi Rick, again a question from me.

All the first time installed certs have a duration of 90 days. How many days before expiration date will the scheduled task renew the certs?

( I also modified the automated installed scheduled task job, that runs every day at 9 o'clock a) run with highest privileges b) run also when user is not logged in (admin password is set), because it should run without a logged in administrator.)

Many thanks and regards

Niko


Jan D
April 18, 2017

# re: Using Let's Encrypt with IIS on Windows

I keep getting this error when refreshing through letsencrypt: The ACME server was probably unable to reach http://www.mydomain.com/.well- known/acme-challenge/

I followed the steps listed, but to no avail. Any other suggestions to look at?


Rick Strahl
April 18, 2017

# re: Using Let's Encrypt with IIS on Windows

@Ben - You have to ensure that server affinity is guaranteed and that when you set up the request it is guaranteed to go back to that very same machine when Lets Encrypt calls back since that machine will be the only one that has the request info to verify. Most likely you have to take the site off the load balancer or run balancer with a single site enabled to make this work. Otherwise - you need to use a traditional route for getting a certificate which is more complicated but doesn't require live validation of the running site.


Jaime Hablutzel
April 20, 2017

# re: Using Let's Encrypt with IIS on Windows

Caddy is a web server with native integration with Let's Encrypt, https://caddyserver.com/.


Niko
April 24, 2017

# re: Using Let's Encrypt with IIS on Windows

My question of 18 April is still unanswered. Somebody should have made experiences because Letsencrypt is not new but for me a relative new theme. Maybe somebody has an answer for me, when the scheduled task job makes the renew earliest? Thanks and regards Niko


Rick Strahl
April 24, 2017

# re: Using Let's Encrypt with IIS on Windows

@Niko - I'm not sure exactly when LetsEncrypt starts the renewals, but I believe it's at 60 days. All I know is that my renewals just happen automatically with (AFAIK) no hiccups of downtime due to missed renewals.


wallace turner
May 02, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi Rick great article! HUGE fan of lets encrypt it is like something i never knew existed but desperately need! I am using asp.net core with a reverse proxy (not the aspcore IIS module) - this doesnt play nicely with the auto-renew as you need to disable the reverse proxy (unless your proxied app runs in the same folder as your IIS web application)

fortunately you can do this before the renewal runs via command line:

Import-module webadministration set-webconfigurationproperty '/system.webserver/rewrite/rules/rule[@name="ReverseProxyInboundRule1"]' -Name enabled -Value false -PSPath "IIS:\sites\<your_website_name>"

ref: https://forums.iis.net/t/1200431.aspx


Kit
May 05, 2017

# re: Using Let's Encrypt with IIS on Windows

Hey Rick,

Thanks for your write-up about LetsEncrypt-Win-Simple.

I managed to get it working within IIS 8. This is going to simplify an annoying task.

However, when asked if I want to to auto renew every 60 days I chose 'No' as I thought I could choose 'Y' the next time but it does not give me this option again. I see there is a new letsencrypt daily task in Task Scheduler but I don't think this is the 60 day auto renewal.

I do not see a way to either renable the auto renewal Y/N option when running letsencrypt.exe or how to manually add it to a config file.

Just wondering if this is something you know about?

Thanks


Lcng
June 13, 2017

# re: Using Let's Encrypt with IIS on Windows

Great post. I read your posts years ago when I was learning ASP.NET developing. Your posts helped me a lot. And this post helped me a lot again. Thank you. 谢谢。


Rick Strahl
July 06, 2017

# re: Using Let's Encrypt with IIS on Windows

@Kit - every time you renew, Lets Encrypt Win Simple will prompt to recreate the scheduled task. The scheduled task runs through all sites. In theory you need to only set this up once and then answer no on subsequent requests just in case you made changes (like the account it runs under). The renewals will still fire. The renewal tasks fires once a day, and it does some check for the certificate expriation date before it expires. Exactly when it checks and decides to renew I'm not sure - you'd have to look at the source to see what they do exactly in the scheduled task operation (--renew).


David
July 19, 2017

# re: Using Let's Encrypt with IIS on Windows

ISTR the Windows scheduled renewal task runs every 24hrs but only actually renews the cert when it needs to. It's a hidden task and runs let'sencrypt with these flags.. --renew --baseuri "https://acme-v01.api.letsencrypt.org/"


David
July 19, 2017

# re: Using Let's Encrypt with IIS on Windows

and another one for you Rick....

As we all know - or have figured out - generating certs requires port 80 and 443 to be open [although possibly only 443 once an account has been set up for renewals..]. So I've been looking at the DNS-01 challenge which would save (in my case) messing with perimeter firewalls, IIS not using port 80 and having to switch anonymous authentication on to generate or renew a cert.

Does -Letsencrypt-win-simple support this do you know and do you have any tips?

TiA

David


Tyler
August 27, 2017

# re: Using Let's Encrypt with IIS on Windows

I am not able to create a new SSL to my default SSL site.

My "Default Site" is listening to all http:80 requests on all addresses.

I tried setting up an SSL binding with SNI, and LetsEncrypt didn't pick up on it.

I created a default SSL site (was getting a warning in IIS) by creating an HTTPS binding on all IPs with no host name indicated.

This didn't work.

I tried creating a new site with SSL bindings to both the hostname and no hostname (both with all and single IPs), but this didn't work.

What could I be missing here?


Rick Strahl
August 28, 2017

# re: Using Let's Encrypt with IIS on Windows

You have to bind to a specific domain name so the site has to be set up with host headers and EACH host header has to have its own certificate. If you have existing bindings or a wildcart cert then it won't work.

Use LetsEncrypt-WinSimple and look at the list it produces and if it doesn't pick up your site it's not configured properly for Host Header/SNI/Bindings.


Tyler
September 11, 2017

# re: Using Let's Encrypt with IIS on Windows

Finally got mine working after getting my bindings corrected and ports opened. Then, used Certify.


Scott
October 24, 2017

# re: Using Let's Encrypt with IIS on Windows

Had no idea IIS would reverse proxy and that there were LetsEncrypt clients. Bang up article!

For idiots like me you might add the "ran as admin" part to the main article text about win-simple.


Fix
November 12, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi

Is it really (still) not possible to have one SSL certificate for multiple domain aliases / sub domains? I ask because on my Synology NAS this seems to be possible without any problem and works automatically as it should... There is an input for aliases when creating the request.

Will have a look on certify t. w. now but isn't free anmyore and doesn't even offer one time purchase!

Thx & regards


Rick Strahl
November 12, 2017

# re: Using Let's Encrypt with IIS on Windows

@Fix - Sure you can have a wildcard certificate on IIS, but Lets Encrypt does not create them. You need to use some other provider to get a wildcard certificate. According to Lets Encrypt wildcard certs are coming next year.


Georgi Lubomirov
November 22, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi,

I created a fully automated PowerShell script based on this article. It automates the process of requesting a Certificate and assigning it to an IIS Site. It can also handles renewals.

https://github.com/GLubomirov/Lets-Encrypt_Automate_PowerShell

Thanks for this article. Hope my script will help you guys too.

Have a great day, George Lubomirov


Rick Strahl
November 22, 2017

# re: Using Let's Encrypt with IIS on Windows

@Georgi - that's awesome!

 

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2017