How Letsencrypt work for windows IIS?

hey,
I got my letsencrypt beta access a few weeks ago, but was unable to use it until now because I was unable to determine how to get it to work in windows environments.
I just downloaded your client und set it up on my IIS and it works. Really great job!

I have 2 questions though:

Is it by design, that your webserver needs to be accessible via http from the internet to request / renew certificates or is it only required for the initial certificate request?

Is it possible to use this tool to request a SAN cert, for example if I’m using mail.domain.com, remote.domain.com, web.domain.com, proxy.anotherdomain.com (letsencrypt granted me access to request certs for given domains)?

Assuming you are referring to: https://github.com/Lone-Coder/letsencrypt-win-simple

Yes you would have to have your web server accessible via HTTP for renews. (Last word from jsha was there was no validation period decided upon but should be expected to be about the same time as renewal).

SAN certificates are on the issue list and you can follow the progress here: https://github.com/Lone-Coder/letsencrypt-win-simple/issues/3

To add to what @molyfra said, there will most likely be a DNS-based challenge in the future, which should make it easier to get certificates for internal services.

@lonecoder - any plans to have a mode where I can specify the hosts? I use lighttpd on Windows, so I just need something to pull down the certs.

Hi Lonecoder,

It was indeed the part where my domain wasn’t whitelisted yet.

greets

Just released a new version 1.4 over at https://github.com/Lone-Coder/letsencrypt-win-simple/releases.

No SAN support yet, but the new build has a plugin system to make it easy to support additional server types.

Adding a new server type can be as easy as adding a subclass of the following to the project and implementing just two methods.

https://github.com/Lone-Coder/letsencrypt-win-simple/blob/master/letsencrypt-win-simple/Plugin/Plugin.cs

Also added a manual certificate mode that will get a cert and install it in the store and save it to disk for you. It’s not going to work well for renewals yet. I’m thinking of adding a system to run a batch file to run

I’d love to see server modules for lighttpd, apache, AWS, azure, etc.

Also improved the error handling in this build to dump errors that come back from the ACME server better.

What language is that? I at least never saw .cs files.

It's C#. Project was created using the free community edition of Visual Studio that you can grab here: https://www.visualstudio.com/en-us/products/visual-studio-community-vs.aspx

I have try it. but it seem not normal work. my system windows 2012 R2.

only run to the line,and then it is close. Have you build an GUI softeware ?
Answer should now be browsable at http://office.cooltext.com/.well-known/acme-c
hallenge/ky_uLAH0x2O2452Vos5dMpQ1hiRj6cV7SJAnUoT8qHg
Submitting answer
Refreshing authorization

Hi LoneCoder, Great Code. One question though. Is it possible to use or tweak this for Apache server hosted on Windows or strictly IIS. If just IIS, is it then possible to get the certificate file created and add to the certificate store so same is usable on an Apache engine on IIS

Great work nonetheless. I am looking to try test out but may need to go offline on my Apache to configure IIS

Adding Apache support could be as easy as adding a class and implementing two methods. One that scans config and lists hostnames and another to install the cert with apache. Check the plugin folder for examples.

Manual mode can get a cert without IIS, but can't really do automatic renewals for you.

Does it currently crash if IIS is not installed?

1 Like

Yea, it crashes without IIS.
I however went ahead to install an IIS engine on a different port and then ran it again, but specified the path to the Apache point and it connected fine and generated the certificate but installed it into IIS.

For now I just exported it and then went ahead to use OpenSSL to convert to get the necessary pem and cer files for Apache. Kinda a long process but it worked. My thought is that a lot of people use Apache on Windows so in the end, I’ll hope someone looks at a direct way to help sort this.

Thumbs up all the same. You are a life saver.

The pem and "der" files are dumped to %appdata%\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org for you. Are they usable from there?

Hi LoneCoder,

Thanks for the great tool. I met problems during the application of certificates. the 1st one is the port 80. Because my ISP blocked the port 80 for HTTP, I have to use port 443 for HTTPS for my websites. I got the information below:

Authorizing Identifier xxx.xxx.com Using Challenge Type http-01
Writing challenge answer to xxx.xxx.com
Writing web.config to add extensionless mime type to xxx.xxx.com
Answer should now be browsable at http://xxx.xxx.com/

As I mentioned, duo to the blocked port 80, the http://xxx.xxx.com is not browsable for my websites. I wonder whether there is a way to force the Challenge through port 443 rather than 80.

the 2nd issue is that my server is Windows 2012 R2 with IIS 8.5 and I don’t use the default webroot (%SystemDrive%\inetpub\wwwroot) for mywebsites (I use d:\website). It seems your software can not find my websites when scanning. I wonder whether there is any way to automatically scan the customized webroot.

Thanks.

Hi,

Just as a follow up to this, I have been working on a new GUI tool called Certify which builds upon the ACMESharp project and provides a GUI for creating new certificate requests, renewing certificates and seeing more information about the certificates, sites etc you already have on a server. It’s not quite ready yet but I’ll be welcoming beta testers soon: http://webprofusion.com/apps/certify

Feature requests are welcome.

Chris

2 Likes

Thats good news. I want to join this. how do it?

well this certainly looks intresting.

You can provide your email address via the website, I’ll then notify subscribers when the app is released or at least available for testing. I’m hoping for an early-mid December release for v1.

I already did so long ago.

Already did…
Can you by chance also look into Apache on Windows… If its not too much to ask, cos Apache is very widely used today on windows servers.

1 Like