Full steps to apply domain and SSL certifications (Apache and IIS7 services)


#1

Hi dear Let’s encrypt team.
I have a service current this in Windows Server 2008 R2 with Apacha to one service and IIS7 for other, Is two service with two distincs ports 8080 and 9090.
Actually, my clients access to our service using only the IP public of the server.
But we would like apply SSL using LE.

Whats is the steps to apply domain and SSL to my application. I supouse that can be these:
Phase 1:

  1. Buy a domain.
  2. Configurate de domain and redirect to one of my public IP.
  3. Setting the domain in my Windows Server 2008.

    Phase 2:
    in this part I supouse that is necessary your support to explain me the process to setting the SSL.

Please let me know if I forgot something to apply the domain and SSL certificate to my IP public in my server.

Greetings.


#2

Hi,

The step 2 need some correction… As it should be pointing to a domain (instead of redirecting), since let’s Encrypt does not follow redirections to an IP address.

Phase 2:
Please choose one of the windows clients (from the link below) that could run on your server and follow their directions to request a certificate.

Thank you


#3

Because of industry rules from the CA/Browser Forum, Let’s Encrypt only lets you use certain port numbers to prove your control over a domain name when requesting a certificate. Currently for new certificate issuances, you must be able to accept an initial connection from the certificate authority on port 80 (not 8080 or 9090).

After the certificate is issued, you can use it on any TLS service on any port number (but you will need to use port 80 again for proving your continued control over the domain name during certificate renewals).


#4

I forgot mentioned something about my case. I have a domain (bolivia.com.bo) and in the cpanel I set in DNS Zones a register as A record setting in this, the Public IP of my WServer 2008 R2.

Actually, my clients login to my platform usin na ip like 200.87.140.33:80/service, this in the web navigator redirect to the user to my platform. This is my service that use the por 80 an IIS as a Webserver. And the same is for my another service that use apache hasta webserver but this using 9090. on thi last, the clients need tape 200.87.140.33:9090/service2.

  • Continue with my case, I need buy a diferent domain or is possible use a subdomain of my actuall provider?
  • Second, Is necessary set the DNS service in WServer 2008 or not?
  • In binding option is necessary set and special configuration previosly? beacuse in my case I have only the file of my proyect in inetpub/wwwroot/service1.

please let me know if I need more things before trying the apply LEncrypt to my server.

Greetings.


#6

Actually, my clients login to my platform

Una cosa útil para saber es que “actual”/“actually” en Inglés quieren decir “verdadero/en verdad”. “Current”/“currently” son mejores como equivalentes de “actual”/“actualmente” en Español.

You shouldn’t need a different domain.

How is your DNS configured now?

There are three steps to think about for your configuration.

Step 1: Obtaining the certificate

The Let’s Encrypt certificate can refer to one or more names. For each name covered by the certificate, your Let’s Encrypt client software needs to prove that you control that name.

Currently, there are two practical ways to do this: either by creating a file on the web server or by creating a DNS TXT record.

For the file method, the inbound validation connection will arrive on port 80 of your server and so you must be able to create the appropriate file in the HTTP service on port 80, whichever software is providing that service.

For the DNS method, you normally need to have an API from your DNS provider that allows you to create DNS TXT records from software on your server. Some DNS providers have such APIs, and others don’t.

Step 2: Applying the certificate

You’ll need to configure both Apache and IIS to use the certificate. Both applications will need to listen on a different port for HTTPS than for HTTP. So, you’ll need to have four different port numbers: HTTP for Apache, HTTP for IIS, HTTPS for Apache, and HTTPS for IIS (unless you want to completely stop offering unencrypted HTTP services for one or both of the services).

This may require converting the file format because the certificate format expected by IIS is usually different from the certificate format expected by Apache. You don’t need to obtain separate certificates (even if the services are accessed using separate names, your certificate can be requested to apply to both names), but you do need to make copies in the appropriate file formats. People often use the openssl program to perform these conversions.

You can configure the Apache server by editing configuration files (creating an HTTPS virtualhost), while you can configure the IIS server using its graphical interface (creating an HTTPS binding).

Step 3: Renewing the certificate

Let’s Encrypt certificates only last for 90 days so an important challenge would be to create scripts that can repeat all of these steps automatically in order to obtain a new certificate. This might be a relatively complex task because Let’s Encrypt client applications commonly offer integration with Apache, or integration with IIS, but not both. So your Let’s Encrypt client application may not include functionality for updating the certificate in both server applications.

Hablo Español pero soy hablante no-nativo; tal vez sería útil también invitar a @sahsanu, que es hablante nativo y ya ayudó a muchos usuários aquí en Español.