How can I order an SSL cert for a domain (which is used on IIS win) from my local linux machine?

Please fill out the fields below so we can help you better.

My domain:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

why not use a windows client?

ACMESharp
Certify
letsencrypt-win-simple

Andrei

@ahaw021 Thanks for the reply. Actually, I don’t have access to that IIS windows server, there is another guy who will set it up there and it needs us to send the certificate and key files to him. Is there anyway to do it with LetsEncrypt?

Yes Certbot will dump all the certificates, key and intermediates into a known location. You can copy them from there and give them to the windows guys.

You can see a screenshot of this here: Tutorial - Certbot Cloudflare DNS with Apache Web Servers on Ubuntu 16.10

Please note: certbot cannot create PFX files (which windows natively prefers) but you can do this with openssl or your windows guy can do it

Search google for PFX openssl (there are plenty of guides)

Andrei

@ahaw021 Thanks, I just tried Certbot based on this link: https://certbot.eff.org/#ubuntuxenial-other however I got some errors: Domain: www.mydomain.no
Type: unauthorized
Detail: Invalid response from
http://www.mydomain.no/.well-known/acme-challenge/-MF2vgpMoXqkTTmqFQxEi7ePR4yLzlEmzxtciaRW-hA
[104.45.81.79]: 404

Do you know how it can be fixed?

So the trouble with using Certbot on a machine that isn’t actually the web server is that Certbot has to make changes to your web site in order to prove that you control the domain name. Its normal methods probably won’t have any effect if the web site is actually served from a separate machine. That’s probably the reason for the error you’re seeing here.

There are many workarounds for this, but I might ask whether you have in mind a way that the Linux machine can change the contents of the web site remotely on the Windows machine, e.g. by something like scp or a network-mounted filesystem. If not, is there a way that the Linux machine can update DNS records in the domain name’s DNS zone file, like via a DNS provider API?

@schoen Thanks for the reply. I don’t have remote access to IIS server however I have access to DNS provider, would it help? can I use this https://zerossl.com/free-ssl/ to get certificate?

yes if you use zerossl it gives you clear instructions on what you need to do to pass the challenge using the DNS method

Andrei

Remember that you’ll have to repeat this process at least once every three months.

@schoen oh that doesn’t seem good at all. Thanks for letting me know. Then I’ll go for another provider, I need it for at least one year.

Out of curiosity, is there any reason why “another guy” canʼt do this for you? If he has the access to the server serving for your domain then he should have the ability to issue the certificates for your domain. That way he could set up automatic renewal of the certificate.

@Nekit That’s a good question, I’m not sure actually. I have access to the domain provider so I can go for DNS verification. But regarding the automatic renewal, how could it be automatically when I order it using zerossl? (We are gonna upload the certificate on Azure Portal)

I see that there is some sort of plugin for that
https://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/6737285-add-support-for-free-ssl-certs-like-those-from-let

Initially you didnʼt specify that the certificate will be (manually, apparently?) uploaded somewhere. In an average windows case suggestions from @ahaw021’s first reply would work.

If you’re going to be on Azure and don’t hit the limitations of using it, the Let’s Encrypt extension you can add to Web Applications works great. We’re using it where I work, and it fits our needs very well.

Likewise, letsencrypt-win-simple is great for full servers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.