Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs
Contact   •   Articles   •   Products   •   Support   •   Search
Ad-free experience sponsored by:
ASPOSE - the market leader of .NET and Java APIs for file formats – natively work with DOCX, XLSX, PPT, PDF, images and more

Using Let's Encrypt with IIS on Windows


Let's Encrypt is a new open source certificate authority that promises to provide free SSL certificates in a standardized, API accessible and non-commercial way. If you've installed SSL certificates in the past, you're probably familiar with the process of signing up for a certificate with some paid for provider and then going through the manual process of swapping certificate requests and completed requests.

Let's Encrypt is based on set of open service APIs that can be implemented on any platform and create certificates for Web servers including IIS. This seems like a fabulous idea, given that securing your site if you have any sort of authenticated access is an absolute requirement. It's not so much the money that's a problem since basic SSL certificates these days even from paid providers are relatively cheap (I use DnSimple both for domain management and SSL certificates), but the fact that you can completely automate the process of SSL creation and management is a huge win. This has both upsides and downsides actually and I'll talk about that at the end of the article. To be clear – I'm not a network admin and I don't have extensive experience managing certificates on a large number of sites so in this post I cover a few basic scenarios that I deal with in my own sites hosted on my own hosted servers.

Windows and IIS – not a first class citizen

I've followed the development of Let's Encrypt with interest, but there wasn't much to try initially as there was no implementation directly available for Windows. Last week I ran into Nik Molnar's post that points at some of the tools available for Windows using PowerShell, the Command Line and even the startings of a Windows UI based tool. Nik then goes on to describe an Azure plug-in implementation that can automatically register and renew Let's Encrypt certificates.

However I was more interested in the IIS pieces rather than Azure as I don't use Azure and  host on IIS, so over the weekend I took these tools for a spin to see what's really involved in getting Let's Encrypt to work with my IIS sites. This posts is a summary of what I found.\

What's available on Windows

As is often the case with open tools, Windows is always the afterthought rather than the norm when it comes to open networking and security tools. So when Let's Encrypt initially went to beta there was no Windows support. However, now that it's been in beta for a while there are a few tools available that provide wrappers for the Automated Certificate Management Environment (ACME) API.

There are a number of options available:

  • LetsEncrypt-Win-Simple
    Currently this seems like the easiest solution to getting new Certificates installed into IIS quickly and easily. This Windows Command Line utility includes an 'interactive' mode that lets you pick a host headered Web site on your server and will go out and create the certificate and install it into IIS in one seamless operation. This works great for manual installation or simple scripted installs. It's quick and easy and by far the easiest solution I tried so far.
  • ACMESharp Powershell Commands
    ACMESharp is a Powershell library that provides access to many (but not yet all) commands of the ACME API. Unlike the Win-Simple approach using the ACMESharp library requires a bit of scripting you have to write yourself with some logic, but you get a lot of control over the process and the ability to create and save the intermediate certificates.\
  • Certify
    This is a GUI implementation of the ACME API that promises to provide interactive ACME certificate management. Currently this tool is pretty rough, but improvements are coming and each new version seems to improve significantly. It's a great way to visually see certificates and obviously much easier for those that don't want to futz around with lots of command line foo.

To be clear, all of these tools are in very early release stages and so they are a bit rough with features missing… and that's to be expected. This stuff is new. Let's Encrypt itself is in beta and these tools build ontop of that base stack. But nevertheless I was able to use all of these tools  to work to register certificates so you can get started today using Let's Encrypt on your own IIS Web sites.

What's missing in all tools currently is administration. You can't revoke or remove certificates and there's no way to clear out certificates on the remote servers. While testing I ended up hitting a limit of certificates registered on one of my sites and then couldn't go further with that site as I can't remove/revoke any of the certs. Natch.

Because of this, I recommend if you plan to play with these tools, create a new host headered test site or sites with valid internet accessible domain names and play with that site before you update and add certificates to any live sites you care about. Once you figure out how things work it's easy to get certificates installed on a live site.

The Easy Way: LetsEncrypt-Win-Simple

By far the easiest way to create and install a new certificate is LetsEncrypt-Win-Simple. This tool runs from the command line and has a few very easy to understand options. Basically you pick a site from the list of active Web sites using host headers on your server and the utility goes out and creates a certificate for you, creates an https binding and attaches the certificate. If there's already a certificate there the certificate is replaced with the new one.

This tool is basically wrapping up all the intermediate steps of creating a registration, domain and certificate. When you run again later it uses the existing store to retrieve the existing registration and domain information to run a renewal. You don't need to know anything about how the ACME API works or the pieces involved which is nice. Actually I wish I would have looked at this tool first before digging into the lower level tools as I did.

Installation is easy: You can install the latest version from their GitHub Releases page and simply unzip the zip file into a folder. The zip file contains a single .NET executable Console application and the required SSH native debpendencies plus a couple configuration files.

To run it, simply open a command window, CD to the install folder and run:

LetsEncrypt

Here's what the interaction looks like (on my home machine which only has one host-headered site I added for testing):

LetsEncrypt-Win-Simple

(note that the site you're using here has to be internet accessible and you have to run these tools from the machine that will receive the certificate)

If all goes well, you'll end up with a new certificate installed in IIS on the Web site you specified.

SiteBindings

If an existing certificate is installed it will be replaced with the new one. The utility is smart enough to detect existing Let's Encrypt certs and removes the old one and replaces it with the new one leaving only the new one in place. Any other certificates are simply left in place, but are not unbound.

SNI – Multiple SSL Certificates per IP Address
Note that IIS by default allows only binding of a single SSL certificate to an IP Address. Starting with Server 2012 IIS support Server Name Indication (SNI) which allows you to bind multiple SSL certificates to a single IP Address. In order for this to work you need to make sure that every site using the same IP Address has the SNI flag checked as shown above. SNI binds the certificate to a host header rather than the IP Address. Note there are issues with SNI support for old versions of IE on Windows XP which won't properly navigate the SSL signature. If that's a problem you will need to stick with IP Bound SSL certificates.

If you open the site in a Web browser you can quickly check to see if the certificate is working, by clicking the secure icon and checking the certificate information. As you can see the certificate is the one created by Let's Encrypt.

Certificate

What's nice is that you can simply re-run LetsEncrypt and it will go out and create a new certificate and remove the old one, so at any time when you need to renew/revoke it's quick and easy to update the certificate as needed.

Yay! This process is pretty straightforward and simple. LetsEncrypt-Win-Simple also has a few command line options that let you automate the domain to create the certificate for and disable prompts so you can automate this process as well. As the name implies LetsEncrypt-Win-Simple is simple without having to understand the gory details of how Let's Encrypt works behind the scenes and unless you have specific needs beyond registration this is the way to go IMHO.

Renewals

LetsEncrypt-Win-Simple also includes an interface to renew all certificates easily. You can run:

LetsEncrypt --renew

and it checks all sites it's managing for expiration dates and if expired (or on the day of expiration) it automatically renews and replaces the old cert with a new one. Nice!

The utility also creates a scheduled task that runs this command once a day and fires update requests. Note you might have to tweak the task User Identity settings as described here to ensure that the user is logged on properly when running the scheduled task. Note that the user is the logged on user because this tool creates the Let's Encrypt vault in a %appdata%\letsencrypt-win-simple which is a user specific profile. It'd be much better if the vault was in a global location like \ProgramData so it can run under any account including system accounts. But that's a minor issue.

More Control with ACMESharp and PowerShell

If you want to work with the lower level ACME APIs directly and you want fine grained control over the cert creation process then ACMESharp's Powershell commandlets are a good way to do it. It's all based on a .NET library that provides the core interface to the ACME APIs so you can also automate your own applications.

LetsEncrypt works with a few core concepts:

  • A registration which is essentially an entity that's creating certificates (you or your company)
  • An identifier which is the domain name you are registering
  • A Certificate tied to that domain name

The process involves creating a registered account once, then creating multiple domains that can be registered. Each domain then can have multiple certificates associated with it over time.

The ACMESharp GitHub site has a pretty good topic on how to get started that I was able to get going with that goes through the process of setting up a registration, setting up a domain and then creating the actual certificate.

Be forewarned – there are quite a few steps and the steps change if you're doing a renewal – it's not as simple as LetsEncrypt-win-simple although you can build something similar with ACMESharp (as LetsEncrypt-win-simple does as it uses the ACMESharp APIs). ACMESharp is a lower level tool that provides the API surface that you can build on top of.

But you can relatively easily use the Powershell interface to create new and renewal certificates. The process through these steps changes depending on whether you're doing a first time installation where you have to create the initial registration and domain or a renewal where you simply need to add a new certificate to an existing domain registration.

After quite a bit of experimenting with temporary domains I ended up with a parameterered Powershell script that I now use to register and update domains with. You might find this useful in addition to the instructions (for one thing it's easier to cut and paste from  if you do want to do the steps manually).

#install-Module -Name ACMESharp import-module ACMESharp $email = "mailto:rick@east-wind.com" $domain = "codepaste.net" $alias = "codepaste" $iissitename = "codepaste.net" $certname = "codepaste$(get-date -format yyyy-MM-dd--HH-mm)" $pfxfile = "c:\Admin\Certs\$certname.pfx" $initializevault = $FALSE $createregistration = $FALSE $createalias = $TRUE # Change to the Vault folder cd C:\ProgramData\ACMESharp\sysVault # First time on the machine - intiialize vault if($initializevault) { Initialize-ACMEVault } Get-ACMEVault if($createregistration) { # Set up new 'account' tied to an email address New-AcmeRegistration -Contacts "$email" -AcceptTos } if($createalias) { # Associate a new site New-AcmeIdentifier -Dns $domain -Alias $alias # Prove the site exists and is accessible Complete-ACMEChallenge $alias -ChallengeType http-01 -Handler iis -HandlerParameters @{WebSiteRef="$iissitename"} # Validate site Submit-ACMEChallenge $alias -ChallengeType http-01 # check until valid or invalid - pending Update-ACMEIdentifier $alias -ChallengeType http-01
Update-ACMEIdentifier $alias -ChallengeType http-01
} # Generate a certificate New-ACMECertificate ${alias} -Generate -Alias $certname #Submit the certificate Submit-ACMECertificate $certname # Hit until values are filled in update-AcmeCertificate $certname pause # Export Certifiacte to PFX file Get-ACMECertificate $certname -ExportPkcs12 $pfxfile

Note that by setting the 3 boolean values you can control the flow for new and renewal certificates. The way the script is set up above it runs for a certificate renewal/update.

This script produces a PFX file which can then be imported into IIS. There are also tools to install and update existing certificates into IIS but it looks there are currently some changes in the API that made this not work for me. I wasn't able to even get the tools to load.

You can manually install the certificate with:

certutil -importPFX "c:\admin\certs\codepaste2016-02-28--20:22" –p password

or manually import it from the IIS Management Console and the IIS Certificates section. This works well for first time installs, but if you need to update an existing certificate then you still need to swap the certificates in IIS using the Management Console or command line tooling.

Certify – A Let's Encrypt GUI in the Making

(updated March 10th, 2016)

Certify is a visual GUI based tool that is also based on the ACMESharp library and provides a visual management interface to certificate operations. This tool is currently in Alpha and it's very rough – in fact when I initially tried it a few weeks back I wasn't able to actually get a certificate to create. However there's been a recent update that now has the basic features working even though the UI is still a bit rough.

The Certify UI pretty much reflects the terminology of a Vault, contact (email really) and domains and certificates and the UI reflects this hierarchy. You can create new domains and then attach new certificates to each domain. You can also use this UI to renew, export and apply the certificates directly into IIS Web Site bindings.

Certify[3]

The tool lets you create a new email contact, and then lets you add domains and certificates interactively. You can issue a new certificate. The certificate takes a minute or so to get generated and currently you have to refresh the Vault to see the updated, validated certificate. Once validated you can use Auto Apply to pick a Web Site and port to bind the certificate to. You can also export the certificate to a .pfx file, and you can ask to renew the certificate with Certify at any point.

This tool is clearly in Alpha stage, and while it doesn't work yet, it's nice to see a UI for this. Having a visual view of installed certificates and seeing status of certificates at a glance can be useful. It would be nice to see different colors based on the expiration state of certificates (red for expired, orange for a couple of weeks, green for valid) etc. Having a UI to see everything at a glance is really nice.

Keep an eye on this tool going forward.

Where are we?

The idea of free and open source SSL certificates is certainly coming at the right time as we are looking at a big push from Google and other big Internet players to try and enforce SSL on every Internet connection. Running SSL can help prevent many HTTP, XSS and man in the middle type attacks by encrypting content and headers. Even though SSL certificates have gotten significantly cheaper, having an easy and 'official' way to create SSL certificates is going to do wonders to increase SSL usage. I know I have a handful of small side project sites that I can't justify spending even $20 a year for SSL on, but if it's free – hey, why the hell not.

It's not just about free certificates either – the fact that the certificate generation can be completely automated is also appealing especially with those that have large numbers of sites and certificates. Being able to check certificates once a day for expiration and renewing when within a day to keep things current makes for one less thing to worry about.

One issue that I see with Let's Encrypt in the current state of the tools is that certificates are valid for a maximum of 90 days or 3 months. This means you need to manage renewals much more frequently than your typical 1 year certificate. Let's Encrypt supposedly has mail notifications in place if certificates expire, but I haven't been able to try that out yet as the expirations are too far in the future. Automation of the renewal process is going to be key here – nobody will want to have manually renew certificates or even be notified every 3 months. I have 5 certificates on my Web server today and even a year for expiration is a big hassle as these certificates expire at different times of the year. To me the automation aspect is much more relevant than the cost.

Let's Encrypt itself is still under development and the Windows tools are even less mature. The base API exists and can be used today to create certificates as I've shown here, but there's a lot of work still to be done. The certificates created currently are the most basic certificates you can get. There's no support for wildcard certs, or higher end validated certs. It's not clear whether that will be supported in the future as setting up registrations for these types of certificates is much more involved. So today Let's Encrypt is not a solution for all SSL needs, but it definitely serves the low end sector well. And you definitely *can* use it today to get free SSL certificates if you're willing to put up with a little bit of growing pain. Especially using LetsEncrypt-win-simple it's pretty easy to get started and even keep things up to date.

In the future I hope we will see integration for services like Let's Encrypt directly built into Web servers. Having a common protocol for certificate registration seems so obvious in hindsight. Especially for IIS and Windows in general which has always been such a pain in the ass with certificate management. I suspect that we'll see this sort of integration sooner rather than later.

How do you see yourself using this service? Would you use it just because the service is free, or because of the automation opportunities? Sound off in comments.

Resources

Posted in IIS  Security  LetsEncrypt  

The Voices of Reason


 

nemke
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Is it possible to use/install LetsEncrypt with self hosting apps (eg. HttpListener with https support)?

Rick Strahl
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

@nemke - I haven't tried but I'm pretty sure you can as you can use IIS certs for self hosting. I talked about this in this SignalR SSL post: http://weblog.west-wind.com/posts/2013/Sep/23/Hosting-SignalR-under-SSLhttps#FindingtheCertHash

Mike Gale
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for doing the research.

Sensible ways of doing this are long overdue. Hopefully there'll be a production ready API and decent cert lifetimes soon.

Tune
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for the post, Rick!

I'm completely with you: SSL is a must, but SSL is a PITA...
I already use free certs (from StartSSL), but each year I'm confused and it still takes some hours at least to renew the certificates of the websites I host on my IIS server. I'm going to try Let'sEncrypt-Win-Simple and ACMESharp Powershell Commands on a spare domain name and if all works out fine I'll automate the renewal process for *real websites*

Thanks again!

Rick Strahl
February 22, 2016

# re: Using Let's Encrypt with IIS on Windows

@Mike - I think the 3 month max period for certs won't change. The idea is to force renewal and new keys to get created. If auto-renewal can be automated it's good practice to frequently renew certificates - less chance of compromise.

Chris Marisic
February 23, 2016

# re: Using Let's Encrypt with IIS on Windows

I believe the real concern for SNI SSL is not Windows XP but Android devices. I believe a substantial amount of Android devices will announce security errors for SNI. http://blog.layershift.com/sni-ssl-production-ready/ personally I still would never use SNI for production. Maybe in another 5 years, the same time span it seems for anything to be usable when it comes to the "world wide" web.

Ian Yates
February 23, 2016

# re: Using Let's Encrypt with IIS on Windows

The short renewal period is so they don't have to maintain big certificate revocation lists. It's not a punishment but rather a cost-saving measure and, as you say, there's less chance of compromise (and in the event of compromise, it won't be in the CRL for all that long).

Gfw
February 29, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for the post, very timely. I used LetsEncrypt-Win-Simple, followed the instructions on a test site and all worked about perfect. BTW... I Also tried Cerify before reading your artile and had the same issue - no certificates were issued/installed.

Question...

What is the issue about not being able to revoke or remove teh certificate once it is issued? Is it something to be really concerned about?

Rick Strahl
February 29, 2016

# re: Using Let's Encrypt with IIS on Windows

@Gfw - I'm not sure about the revokation and limits. I think under normal scenarios this isn't a problem - old certificates should just scroll off. I think this is just growing pains and the .NET/Windows components currently don't support the revocation stuff but I'm sure it's coming. I think the deal is that if you have a problem with a cert you just create a new one as long as you don't have too many for a single domain (I created about 10 in testing I think) I don't think you'll run into this issue, which in a normal use case is pretty unlikely.

Spongman
April 08, 2016

# re: Using Let's Encrypt with IIS on Windows

If you're going to run the renew script every day, why not just have cents that last two days?

Rick Strahl
April 10, 2016

# re: Using Let's Encrypt with IIS on Windows

@Spongman - you're not going to renew every day. The WinSimple task **checks** every day to see if the cert has expired, but it doesn't renew it every day. Renewals aren't fast and there are limits how often you can create a cert for a single top level domain. Nothing wrong with creating new certs more frequently though, but every few days seems overkill.

Rolando
April 12, 2016

# re: Using Let's Encrypt with IIS on Windows

Hello there, so this process (win-simple) is not as easy as it seems. I have attempted numerous times in trying to install the certificate and this is the error I have received. I did go into IIS and moved the static file above the extensionlessurlhandler, so that is correct. The only thing left is the web_config file?? Please help, and let me know if the web config file needs to be updated/corrected, and to what it should be. Thank you very much for your time.

This could be caused by IIS not being setup to handle extensionless static
files. Here's how to fix that:
1. In IIS manager goto Site/Server->Handler Mappings->View Ordered List
2. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
(like this http://i.stack.imgur.com/nkvrL.png)
3. If you need to make changes to your web.config file, update the one
at C:\Users\rolando\Desktop\letsencrypt-win-simple.v1.9.0\web_config.xml

steve
May 12, 2016

# re: Using Let's Encrypt with IIS on Windows

Can this process work with a hosting site that doesn't allow direct IIS access?

Rick Strahl
May 30, 2016

# re: Using Let's Encrypt with IIS on Windows

@Steve - I don't think so unless you build custom tooling. You need to be able to run the LetsEncrypt client from the server you plan to install the cert from so you can prove that you control the domain.

It's possible to set up a server hosted mechanism for this. It'd be nice if a Web based front end could be built to do this - that way you could remotely manage the certificates. Nothing for this yet, but I bet somebody will build this.

Oliver
June 01, 2016

# re: Using Let's Encrypt with IIS on Windows

Rick,

thanks for another great post of yours. I really appreciate the time and effort you put into your research and writing. Your blog is always worth a visit - if it's on Google's first result page that's where I go first for the information I'm looking for.

Keep it up, I'm convinced many other readers appreciate your content at least as much as I do.

Btw, this post helped me quickly set up a TLS certificate in IIS on windows just yesterday :-)

Rick Strahl
June 01, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks @Oliver. I appreciate the kind words. Glad to see my ramblings are useful to some of you :-)

B
July 22, 2016

# re: Using Let's Encrypt with IIS on Windows

Renewals
LetsEncrypt-Win-Simple also includes an interface to renew all certificates easily. You can run:

LetsEncrypt --renew
and it checks all sites it's managing for expiration dates and if expired (or on the day of expiration) it automatically renews and replaces the old cert with a new one. Nice!

The utility also creates a scheduled task that runs this command once a day and fires update requests. Note you might have to tweak the task User Identity settings as described here to ensure that the user is logged on properly when running the scheduled task.


The problem is I cannot find any LetsEncrypt scheduled task, should I create one, and which application should I choose?

Pablo Carrau
September 12, 2016

# re: Using Let's Encrypt with IIS on Windows

I contacted the dev for the Certify program concerning how to handle automated renewals. I suggested adding a command line option to allow us to set a scheduled task. He responded with this:

"At some point in the future I intend to add auto renew as a service to the app. Until then though you could use the ACMESharp powershell scripts (which Certify uses) to script any action you like including renewal."

I'm hoping he develops something soon since Certify has been the easiest way to generate certs so far.

Rick Strahl
September 12, 2016

# re: Using Let's Encrypt with IIS on Windows

@Pablo - unfortunately there are a number of issues with the renewals in Certify. Renewals don't appear to install the proper certificates into the Windows Cert store.

I've actually stepped back from Certify and I'm now using LetsEncrypt-win-simple which seems to be working better with renewals. Recent updates have also made this process much more seamless to get the certs created.

I wish I had time to help out with Certify - it seems such a shame that the project is largely abandoned by the developer (for the same time constraints). It'd be so nice to have a visual way of doing this in addition to the ACME library based solution.

Dan Smith
October 05, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks for this blog post. Saved me a few hours going thru the same exercise finding the best method.

Daniel Smith
@databee

Dave Quested
October 11, 2016

# re: Using Let's Encrypt with IIS on Windows

Hi Rick

Thanks for this article, great help.

Have you found a way to use the LetsEncrypt Win Simple manually and automatically add the IIS binding afterwards? Seems like you have to use the --script param somehow?

We basically want to have a go-live process which runs the LetsEncrypt Win Simple manual command and then ensure that a IIS binding / cert is applied for that site.

Possible? I see you've written an article about PowerShell, but can't quite see how to tie it all together. Any help greatly appreciated!

Dave

Michael
November 09, 2016

# re: Using Let's Encrypt with IIS on Windows

Do you know of a way to use let's encrypt for local certificates such as remote desktop? I have self-signed certificates so it is "encrypted", but that pesky warning message pops up every time. Also, is there a way to use LE with Windows Server Essentials Remote Web Access tool?

Rick Strahl
November 09, 2016

# re: Using Let's Encrypt with IIS on Windows

Let's Encrypt really needs a Web site as it needs to validate the website's domain. You can create a certificate through a Web site and then perhaps use the generated cert for other purposes assuming it's the same type of certificate that is compatible.

Pascal
November 14, 2016

# re: Using Let's Encrypt with IIS on Windows

Thanks a lot for this post. I used LetsEncrypt-Win-Simple and got my site with a valid certificate in 5 minutes!

I have updated the scheduled task with my local admin user to also work when not logged in. Works like a treat.

The last step for me is now to redirect the HTTP site to HTTPS and let Google know about it.

Really cool, thanks.


NetoMeter
November 27, 2016

# re: Using Let's Encrypt with IIS on Windows

We've tested successfully and published a video for both the Lets-encrypt-simple client and the ACMESharp PowerShell Module.

The Lets-encrypt-simple client seems to be more suitable for installing single domain certificates on Windows servers running IIS. The video instructions are available here:

http://www.netometer.com/blog/?p=1758

The ACMESharp PowerShell module is perfect for the automatic installation and renewal of Exchange Multiple Domain (SAN) certificates - the video demo is available here:

http://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server

In the demo, we are scheduling a task in task scheduler to renew the Exchange certificate and it works flowlessly.

Regards,

Dean


Walt
January 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi.

Thanks much for the post on Let's Encrypt. I am now using LE for a company home page. However, I want to redirect all HTTP traffic to the HTTPS protected web site, and from what I understand, LE uses HTTP to request renewals? Will such a redirection cause issues with the automatic renewal?

Thanks much for any suggestions / help! Walt


Rick Strahl
January 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Walt - I use https redirects and it seems to work. I think for the first registration it has to be http, but for renewal https requests seem to work for me.


Justin Braun
February 01, 2017

# re: Using Let's Encrypt with IIS on Windows

Great article, Rick. Been looking for the best way to do this with IIS going forward. This appears to be the best method at this point. Thanks for digging into it and sharing.


Xiao
February 03, 2017

# re: Using Let's Encrypt with IIS on Windows

Hi

I am trying to do my first renewal but when I use LetsEncrypt --renew it tells me that my cert can't be renewed as it is still valid but when I go to my website my cert has expired.

Any else have this issue? I have 2 sites that are using ssl on my site. I checked Require server name identification.


AlexB
February 13, 2017

# re: Using Let's Encrypt with IIS on Windows

Thanks, I can't believe how easy that was... all those years of struggling.


roy
February 19, 2017

# re: Using Let's Encrypt with IIS on Windows

Xiao, did you fix the issue you had with the renewals ? if so, what did you do to fix it ?


Mike Caldera
February 19, 2017

# re: Using Let's Encrypt with IIS on Windows

Thank you for the Information. I had previously given up trying to install these certificates and converting them to IIS7. The Easy Way: LetsEncrypt-Win-Simple was actually the fastest and easiest for me.

Thank you 1000x time.

Mike


Guillaume P
March 09, 2017

# re: Using Let's Encrypt with IIS on Windows

@Rick Strahl : Walt - I use https redirects and it seems to work. I think for the first registration it has to be http, but for renewal https requests seem to work for me.

https redirect works well for renewal but what will happen when expiration date is reached ? the script handles that with submitting a new challenge request but it might need to do a http request as for the 1st run.

What do you think about it ?


Rick Strahl
March 10, 2017

# re: Using Let's Encrypt with IIS on Windows

@Guilliaume - I know it works because I have LetsEncrypt-WinSimple handle auto-renewals for me on a couple of sites that auto-redirect to https. I think it's only the first registration that has go over http even if a cert is already installed.


NetoMeter
March 18, 2017

# re: Using Let's Encrypt with IIS on Windows

Rick,

I think it's only the first registration that has go over http even if a cert is already installed.

After you create a LE account (that's the first thing the client does) and a private/public key pair which is used for encrypting the communication with LE servers, the registration of the domain names that you need to have included in the certificates is performed, and a successful domain name registration (http-01 validation) with LE is valid for slightly longer than 11 months.

That explains why you don't see http subsequent validations from LE during the certificate renewals while the registration of the Domain Names is still valid - in 12 months, you'll have to perform a new registration (validation) of the names again.

Regards,

Dean


Niko H.
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

Hey Rick!

Great tutorial that you set up here!

I don't find the switch for "including the www." to the certificate. So do I have to install 2 certs for www. and without www. in windows (?) because Plesk on Linux offers the option to do that by cheching a box. Is that a limitation doing that under windows?

Thanks for any help!

Best regards

Niko


Rick Strahl
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

@Niko - yes you have to set up each individual subdomain include www.mydomain.com and mydomain.com.


Niko
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

@Rick Thank you! That means I have to install in this case really 2! certs?


Rick Strahl
March 21, 2017

# re: Using Let's Encrypt with IIS on Windows

@Niko - yes, but because you can have certificates auto-renew themselves, having two certificates is really not a problem.

 

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2017