Rick Strahl's Weblog  

Wind, waves, code and everything in between...
.NET • C# • Markdown • WPF • All Things Web
Contact   •   Articles   •   Products   •   Support   •   Advertise
Sponsored by:
West Wind WebSurge - Rest Client and Http Load Testing for Windows

Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates


:P
On this page:

I'm happy to point at my new CoDe Magazine article Securing IIS Web Sites with Let's Encrypt Certificates which is in the January/February edition issue:

I've written a few times about Let's Encrypt, which is an open source platform and protocol that provides free TLS certificates along with an API to facilitate automation of the certificate generation process. Additional tools provided by third parties then provide support features that make it drop dead simple to automatically create certificates and install them into Web Servers of choice.

This article summarizes the hows and whys of Lets Encrypt and provides a quick start on how you can use Lets Encrypt with standalone IIS servers. There really is no more excuse for even running that small hobby site that's public facing without IIS.

Go check it out and while you're at it check out the rest of this issue of CODE Magazine.

Posted in Security  

The Voices of Reason


 

Gfw
December 28, 2017

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

I started using WinSimple LetsEncrypt after your first article. I use MailEnable for a mail server and mailEnable used their SSL cert in the Personal bucket rather than the "Web Hosting" bucket.

Question... do you l=know of any way to automatically update the certificate in the "Personal" bucket? Currently I am doing in manually.

Thanks and best wishes for a Happy & Prosperous 2018!


Rick Strahl
December 29, 2017

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

@Gfw - LetsEncrypt WinSimple will automatically renew certificates if you let it install the scheduled task. You may have to play around with which account you use for the task to get it to install into the appropriate certificate store.


Chris Hynes
January 04, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

How well does LetsEncrypt scale to many sites on one server/app? Right now I've got a hosted website app with 100 or so sites in it right now. It's currently done in a multi-tenant fashion via a single IP binding in IIS. Users can come in and create an account, enter their domain name in the app, then point their @ and www DNS records to my IP and it'll start serving.

I've been wanting to add LetsEncrypt and give everybody HTTPS, but it seems a bit complex. The only way I can think to do it is to add a feature to my app to answer the challenge on their domain, do a separate cert for each site, and then create a separate https binding in IIS for each site using the IP and SNI.

AFAIK, there's no way to do a wildcard SNI binding that will pick the right cert for hostname, you've got to create a separate binding for each one.

Should work, theoretically, but an app with 100s of bindings and LetsEncrypt managing and renewing 100s of certs gives me the heebyjeebies.

Is the IIS tooling solid enough that I can rely on it for something like that?


Rick Strahl
January 04, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

@Chris - It should work, but if you're going to have 100's of domains and mapping them dynamically it's probably much easier to use a wildcard domain and be done with it - even if it costs $100 or whatever. I haven't checked what the status of wildcard domains is with Let's Encrypt since the article, but last I checked it looks like it's still a ways off.


Chris Hynes
January 05, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

As far as I know there's not a good way to do a wildcard cert across multiple domains, or I'd definitely do that. You can do a subdomain wildcard, but that's so 1990's geocities style. Nowadays folks want their own domains. LetsEncrypt is rolling out wildcard subdomain support this month and next: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html which is cool, but it doesn't hit this use case.

You can do a SAN/multi-domain certificate, but you have to reissue and reinstall it every time you add a domain, which you can only do by hand, and those suckers are expensive.

Huh, that's interesting, LetsEncrypt does let you do a SAN cert: https://letsencrypt.org/docs/faq/#can-i-get-a-certificate-for-multiple-domain-names-san-certificates-or-ucc-certificates

So I guess the question is, is it better to create one big cert with all of the domains and have to regenerate and reinstall that single cert any time you add a domain? Or is it better to manage 100s but not have to keep reinstalling.

I'm guessing you're right and the SAN cert is the way to go via LetsEncrypt... now to figure out how to do that from .NET because many of those options seem to have limited support on the .NET/IIS side.

Thanks for letting me ramble on and come to my own conclusions 😄


Red Feet
January 08, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

Hi @Chris, @Rick,

A Wildcard domain certificate is not the solution for Chris' problem, since a wildcard will only cover all SUBdomains of a registered domain you already own (f.i. *.west-wind.com).

In this case the complete domain will be different for each added customer account. I only see the solution where for each added domain, a specific binding is added in IIS (this can probably be automated in a Powershell script), and right after that a new WinSimple LetsEncrypt refresh of the SAN of that web instance is being issued.

I think this could work, but be carefull with LetsEncrypts rate limits, when your app service is becoming very popular! (Here's more info on this subject: https://serverfault.com/questions/391311/how-many-domains-can-be-bound-with-one-ssl-certificate)

Hope this helps, Teun.


Rick Strahl
January 08, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

@Red Feet - ah, I missed the different domains part. In that case there's no option but to generate new certificates. How else could this possibly work? 😃

AFAIK, rate limits only apply to same domain registrations, so registering for multiple different domains shouldn't be a problem unless you do them all at once (ie. hammering the LE servers) which would be a bad idea.


Paul
January 14, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

In terms of wildcard domains - apparently coming 27th Feb - https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html


Yuvraj
February 09, 2018

# re: Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates

Good Articles


West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2024