How Letsencrypt work for windows IIS?

I always using windows system, now using windows 2012 Server IIS8.5, please tell me how this work in windows system?

Letsencrypt client?

You can try to apply to the certificate by Linux, then imported into IIS

I not very know how do it in linux. I hope has an GUI tool for windows is good.

Hi @yon, I don’t think that anyone has developed a Windows GUI for integrating Let’s Encrypt with IIS.

To my knowledge the furthest-along project to integrate IIS with Let’s Encrypt is

This project uses PowerShell so it can run entirely on Windows, but it is not a GUI; it uses the Windows command line.

I hope it’s helpful to you. If you find that it works or doesn’t work for your situation, I’m sure the developer could benefit from your feedback. Also remember that you can’t get publicly-trusted certificates from Let’s Encrypt yet unless you’ve applied to participate in the beta program and your application has been accepted.

Here’s my feedback for them: https://github.com/ebekker/letsencrypt-win/issues/10

What do I run to install a powershell module from github?

@LoneCoder, thanks for asking over there; hopefully somebody will produce a useful guide to installing that Windows client and then we can update this thread with details or a reference.

I created a new .net client that should be much easier to use. I’m aiming for a similar level of experience as the main python client.

You can get a build of the new client here: https://github.com/ebekker/letsencrypt-win/issues/12

I’ve run into an issue that’s going to be a real pain unless someone can tweak the LetsEncrypt ACME servers a bit. Who do I talk to about that?

Here’s a direct link to the new client build:

LoneCoder: That new client build worked GREAT for me. I had to do one step at the end with OpenSSL.exe to combine the pieces into a PFX that would import into IIS on Win2012.

openssl pkcs12 -export -out name.pfx -inkey name-key.pem -in name-crt.pem

Also I didn’t realize right away that I had to run the client on the (public) server so that DNS would resolve the domain name to the copy of IIS where the client was running. But all in all, great first result. Thank you.

[quote=“ghw, post:2, topic:2106, full:true”]
You can try to apply to the certificate by Linux, then imported into IIS
[/quote]Yep, that’s what I do for F5 load balancer
Shouldn’t be a problem to use certificate on any OS.

[quote=“LoneCoder, post:7, topic:2106”]
Extensionless Static Files are disabled in IIS and are extremely tricky to enable.
Here’s the error message I put into the client…
[/quote]Yep, it’s singleliner:

@%SystemRoot%\System32\inetsrv\appcmd set config -section:staticContent -+"[fileExtension='.', mimeType='text/plain']"

I'll add creating a web.config to the windows CLI client. That's easy enough for the mime-type.

The second part where StaticFile needs to be ordered higher was needed on my systems. Maybe because I've been using ASP.net MVC on them. I had to find and follow this: asp.net - extensionless image file not visible in IIS7.5 - Stack Overflow

It can be done in a web.config as well but it dumps out all of the handlers (there's like a hundred) to define a new sort order, which isn't a very good solution.

I just want this to be as painless as possible. Asking someone to go mess with their IIS config and potentially breaking things or creating security holes is not a good solution. Seems like a real pain when a small tweak to the ACME server would solve the problem.

Running the build on Windows server 2012 with iis 8.5 results in an error message (I did apply the Extensionless Static File fix):

Authorizing Identifier www.******.com

Unhandled Exception: LetsEncrypt.ACME.AcmeClient+AcmeWebException:
Unexpected error ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at LetsEncrypt.ACME.AcmeClient.RequestHttpPost(Uri uri, Object message) in C:\Users\bryan\Documents\letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME\AcmeClient.cs:line 606
--- End of inner exception stack trace ---
at LetsEncrypt.ACME.AcmeClient.AuthorizeIdentifier(String dnsIdentifier) in C:\Users\bryan\Documents\letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME\AcmeClient.cs:line 261
at LetsEncrypt.ACME.CLI.Program.Authorize(AcmeClient client, String dnsIdentifier, String webRootPath) in C:\Users\bryan\Documents\letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME.CLI\Program.cs:line 305
at LetsEncrypt.ACME.CLI.Program.Auto(AcmeClient client, SiteHost siteHost) in C:\Users\bryan\Documents\letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME.CLI\Program.cs:line 139
at LetsEncrypt.ACME.CLI.Program.Main(String[] args) in C:\Users\bryan\Documents\letsencrypt-win\letsencrypt-win\LetsEncrypt.ACME.CLI\Program.cs:line 80

What am I doing wrong? Choosen: Yes, Yes, 1.

I’d rather have something that works with windows that doesnt need IIS but also does manual mode so I can use it with my xampp

That’s really odd. Is the hostname maybe not white listed yet? Does it work on the test server? I’ll try to add better error handling to dump out any message returned by the ACME server.

Here’s a new release and build location of my simple windows CLI client. It now will fully install the certs if you’d like.

Hi everyone

I was hopping to understand a bit better what’s the client is acutally doing but I still can’t even if if seems to work
3 things :

• Is there any source about this CLI Client ? I’ve made some changes too to the POSH project to debug it but i could not go much further
• It needs proxy settings because it crashing when i’m using it behind a corporate proxy. the JSON request actually return html (because the app.config is not configure and the code does not detect anything) wich ends up crashing on some newtonsoft Json Parse. (Maybe trying to use default system proxy would work the code inside POSH module does not work for that either AND IS BADLY documented 'cause it read json config)
• It crash it not in elevated privilege ith UAC Activated

And once the app.config is well configure and run in admin, It prompts 2 questions :

• “Use production Let’s Encrypt server? (Y/N)” <== Whats is the real difference, i guess it for debug or not but i’m still ondering
• And then it ask to “Cert all bindings”

Logs :
ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\XX\AppData\Roaming\LetsEncrypt\httpsacme-v01.api.letsencrypt.org
Loading Signer from C:\Users\XX\AppData\Roaming\LetsEncrypt\httpsacme-v01.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\XX\AppData\Roaming\LetsEncrypt\httpsacme-v01.api.letsencrypt.org\Registration

Scanning IIS 7 Site Bindings for Hosts (Elevated Permissions Required)
IIS Bindings

A: Cert all bindings (ENCRYPT ALL THE THINGS!)
Q: Quit
Which binding do you want to get a cert for: A

…>

So now it’s poking me … I’m wondering where is the “crt” file is generated, and where ?

So i went into the specifed :
C:\Users\XX\AppData\Roaming\LetsEncrypt\httpsacme-v01.api.letsencrypt.org
And i can find 2 files :
“Registration” and “Signer”

The Signer file looks like :
… …
The Registration one is a JSON File is, I guess used for the TOS acceptance but i’m not sure

My final goal is to have “something” that i can use on Azure for an MVC6 WebSite … so i’m not sure i’m interested in anything that modify my local IIS config files.
And the last question is probably … Will i ever be prompted who i am for the “certificate” ? Because so far i still don’t get how i’ll get a certificate that protect from Man in the Middle if the certificate generated do not ask either who I am or what dns am I trying to use since I was asked a dns to be whitelisted

Hi again,

I think i found indirect answer …
I’ve just decompiled your code
I found out that instead of telling that there’s no Website in the Local IIS with actual “HostName” you’re still prompt for “All” or “Nothing”
=> I guess it’s a bug because even If I choose “All” it won’t do anything and quit.

So based on that I tried to mock my AzureWebSite locally :

• I’ve created a dummy web site
• Mapped on my local repository of this Azure WebSite
• I’ve added the SAME (this is important) Hostname. AKA : http://toto.azurewebsites.net/
• Ran again your tool

I finally understood that the Challenge, in fact, create two file locally in :

• .well-known\acme-challenge\SomeNameBasedOnChallenge
• .well-known\acme-challenge\web.config for JSON :
  fileExtension = ".*" mimeType="text/json"
  (still not sure why 'cause the Challenge file contains an encrypted text (almost the same as the file name) (not base64 either)

And i finally got an interesting error message :
The ACME server was probably unable to reach http://toto.azurewebsites.net/.well-known/acme-challenge/SomeNameBasedOnChallenge

So i’m guessing this is how ACME is sure of who I am since they already got the whitelist and the process will continue after that …

So unless I implement an MsDeploy upload for these 2 files on Azure (or using FTP) … I’m stuck

If you get more info on my 2 posts here do not hesitate
I’m a beginner about https / acme / challenge etc … i’m into LetsEncrypt for less than one day so i’m not sure everything i’ve said is right but this is where I am today

@Alexandre Thanks for all the feedback and sorry you ran into so much trouble. I’ll try to fix the problems you experienced.

The current source for the client can be found here: https://github.com/Lone-Coder/letsencrypt-win-simple

I’m thinking of adding an option to manually specify a host name and output path for the answer, but that still won’t get them automatically uploaded for 60 day cert renewals, so azure is going to be tricky. Also we’ll need some automated way to get the cert installed and configured on azure, which could be even trickier.

Hi @LoneCoder, you can comment at the

page (for example by creating an issue there) or join the #letsencrypt-dev IRC channel.