I started using WinSimple LetsEncrypt after your first article. I use MailEnable for a mail server and mailEnable used their SSL cert in the Personal bucket rather than the "Web Hosting" bucket.

Question... do you l=know of any way to automatically update the certificate in the "Personal" bucket? Currently I am doing in manually.

Thanks and best wishes for a Happy & Prosperous 2018!

@Gfw - LetsEncrypt WinSimple will automatically renew certificates if you let it install the scheduled task. You may have to play around with which account you use for the task to get it to install into the appropriate certificate store.

How well does LetsEncrypt scale to many sites on one server/app? Right now I've got a hosted website app with 100 or so sites in it right now. It's currently done in a multi-tenant fashion via a single IP binding in IIS. Users can come in and create an account, enter their domain name in the app, then point their @ and www DNS records to my IP and it'll start serving.

I've been wanting to add LetsEncrypt and give everybody HTTPS, but it seems a bit complex. The only way I can think to do it is to add a feature to my app to answer the challenge on their domain, do a separate cert for each site, and then create a separate https binding in IIS for each site using the IP and SNI.

AFAIK, there's no way to do a wildcard SNI binding that will pick the right cert for hostname, you've got to create a separate binding for each one.

Should work, theoretically, but an app with 100s of bindings and LetsEncrypt managing and renewing 100s of certs gives me the heebyjeebies.

Is the IIS tooling solid enough that I can rely on it for something like that?

@Chris - It should work, but if you're going to have 100's of domains and mapping them dynamically it's probably much easier to use a wildcard domain and be done with it - even if it costs $100 or whatever. I haven't checked what the status of wildcard domains is with Let's Encrypt since the article, but last I checked it looks like it's still a ways off.

As far as I know there's not a good way to do a wildcard cert across multiple domains, or I'd definitely do that. You can do a subdomain wildcard, but that's so 1990's geocities style. Nowadays folks want their own domains. LetsEncrypt is rolling out wildcard subdomain support this month and next: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html which is cool, but it doesn't hit this use case.

You can do a SAN/multi-domain certificate, but you have to reissue and reinstall it every time you add a domain, which you can only do by hand, and those suckers are expensive.

Huh, that's interesting, LetsEncrypt does let you do a SAN cert: https://letsencrypt.org/docs/faq/#can-i-get-a-certificate-for-multiple-domain-names-san-certificates-or-ucc-certificates

So I guess the question is, is it better to create one big cert with all of the domains and have to regenerate and reinstall that single cert any time you add a domain? Or is it better to manage 100s but not have to keep reinstalling.

I'm guessing you're right and the SAN cert is the way to go via LetsEncrypt... now to figure out how to do that from .NET because many of those options seem to have limited support on the .NET/IIS side.

Thanks for letting me ramble on and come to my own conclusions 😄

Hi @Chris, @Rick,

A Wildcard domain certificate is not the solution for Chris' problem, since a wildcard will only cover all SUBdomains of a registered domain you already own (f.i. *.west-wind.com).

In this case the complete domain will be different for each added customer account. I only see the solution where for each added domain, a specific binding is added in IIS (this can probably be automated in a Powershell script), and right after that a new WinSimple LetsEncrypt refresh of the SAN of that web instance is being issued.

I think this could work, but be carefull with LetsEncrypts rate limits, when your app service is becoming very popular! (Here's more info on this subject: https://serverfault.com/questions/391311/how-many-domains-can-be-bound-with-one-ssl-certificate)

Hope this helps, Teun.

@Red Feet - ah, I missed the different domains part. In that case there's no option but to generate new certificates. How else could this possibly work? 😃

AFAIK, rate limits only apply to same domain registrations, so registering for multiple different domains shouldn't be a problem unless you do them all at once (ie. hammering the LE servers) which would be a bad idea.

In terms of wildcard domains - apparently coming 27th Feb - https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Good Articles