I ran this command: letsencrypt.exe --san --warmup
It produced this output:
My web server is (include version): IIS
The operating system my web server runs on is (include version): Win Server 2012
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
Im having issues when a SAN certificate I created for 3 different domains renews.
This is created using commandline connecting to IIS.
All sites have domain bindings for www and non www
e.g. www.domain.com & domain.com
The problem, is that the applications which run on them have 301 redirects for:
nonwww to www
http to https
This is a requirement from an SEO and operational perspective.
However, this causes issue with the validation process for letsencrypt, because it needs to access the “.well-known” directories and files under each of these separately.
This fails, and so the certificate cant be updated.
There are two ways forward for you which don’t involve big changes
The Let’s Encrypt service follows 301 redirects just fine, so put those /.well-known/ files in the place the redirections will lead to and it should pass validation just fine. If it doesn’t please make sure you fill out the “It produced this output” part of the standard questions so people have some idea what went wrong.
You can exempt the /.well-known/ directory from the redirect rule, how to do this will depend on how IIS is configured and I’m not an expert on that, but I’m sure IIS web sites or the documentation can explain how to redirect other parts of the site (for SEO) without changing that one directory.
If you're just using the IIS HTTP Redirect Module, you'll need to have both check boxes in the Redirect Behavior section unchecked so the path to the verification file is preserved on redirect. You can then just specify the webroot used by the redirect destination when issuing your certificate.
If you're using rewrite rules or another method to redirect and are getting errors, you likely need to fix them to preserve the paths, or else bypass them entirely for verification (option 2).
OK thanks yes thats given me an idea. The redirection happens in the application rather than in IIS settings in web.config, but if I stop this, and move to web.config, I can then just put in a rule to only do the redirects if its not processing a validation for /well-known/.