Certificate for ADFS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I would like to install ADFS role on Domain Controller and use Let’s Encrypt certificate to complete ADFS configuration.

I will run ACME client on DC and follow the prompt to complete the process. Where and how do, I provide adfs certificate name (i.e want the certificate called adfs.ramlan.ca)?

My domain is: ramlan.ca

I ran this command:

It produced this output:

My web server is (include version): IIS 10 on Domain Controller

The operating system my web server runs on is (include version): Windows Server 2019 v1809

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes - As Admin

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

That’s going to depend entirely on what client you use. For certbot, as with many other CLI clients, you’d add -d adfs.ramlan.ca to the command.

I will be using ACME client. For creating certificate should, I use option N or M and there after…

Here is the screen shot
1

I’m not in the least familiar with that client. I’d think you should use option M from this screen, but after that consult the documentation for that client and see how to specify a domain name and validate it.

OK will keep trying.

I am getting this error while generating new ssl certificate. Do, I need to add any record at GoDaddy (A Record or @ Record or anything)

Hi @ramg1967

if you want to use http validation, a working webserver is required. That requires a public ip address your domain -> your ip.

See

1 Like

Do, I have the option to pick https validation - if so do, I need to add any entry at GoDaddy and what selection, I should select during acme process?

I did not have this kind of issue when, I obtained SSL certificate for Exchange Server 2019. I did have few issue with autodiscover and firewall port forwarding. I fixed those issue and the certificate was issued and the renewal worked fine. Not this time for ADFS.

Why are you trying to obtain a cert for www.adfs.ramlan.ca? You’d said earlier that you only wanted one for adfs.ramlan.ca.

Yes one only. My domain is ramlan.ca and for adfs I want the certificate name adfs.ramlan.ca

See screen shots…

…which are of you doing something different than you did last time–at that time, it was trying to validate www.adfs.ramlan.ca. Now it isn’t. That’s good, but you still need DNS records set up pointing to your server.

You mean at GoDaddy or on the Router (Port Forwarding section)?

I did enable port forwarding for adfs server (Both Port 80 and 443) and firewall disabled.

Which would Let’s Encrypt be able to see?

Those are good. Does either of them tell Let’s Encrypt what IP address to use to connect to adfs.ramlan.ca?

On the local dns I created A record pointing to public ip address. Do, I still need to create a record on GoDaddy? Still getting same error. I am too weak in IIS. Might have to learn a lot and understand how IIS works…

a public visiable record for LE’s server can see. A or AAAA record for http/tls-alpn challenge, txt record for dns challenge.

I was able to get it working. The screen shot. This is what I did

Local DNS - A record pointing to Public IP
GoDaddy - A record pointing to Public IP

Tried the certificate again and it completed successfully. I was able to export the certificate in PFX so, I can use it during ADFS role install and complete ADFS configuration.

This certificate is valid for 90 day and it will auto renew using task scheduler that is created as well.

Thanks for all the help. Maybe, I will document this entire process for future reference.

Ram

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/where-to-place-a-federation-server
looks like this server shouldn’t visible from internet,(only ADSF proxy should) maybe you want to use different account with dns challenge, acme.sh supports that, but it’s bash script…

OK will check the link.

This is lab setup for adfs learning. After that, I will shutdown the system.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.