How Letsencrypt work for windows IIS?


#41

well this certainly looks intresting.


#42

You can provide your email address via the website, I’ll then notify subscribers when the app is released or at least available for testing. I’m hoping for an early-mid December release for v1.


#43

I already did so long ago.


#44

Already did…
Can you by chance also look into Apache on Windows… If its not too much to ask, cos Apache is very widely used today on windows servers.


#45

Found them. Cool. Much appreciated.


#46

I have do it. waiting for you


#47

I think my client is filtering out https bindings from the list. You probably only have https bindings setup so that’s why they aren’t being seen. I’ll fix that.

Not sure how the ACME server handles that. Little bit of a chicken/egg problem unless ACME chooses to ignore invalid certs when authing.


#48

There’s a new build of my client available at https://github.com/Lone-Coder/letsencrypt-win-simple/releases/tag/v1.6

Here’s the change log:

Check for IIS installed. Shouldn’t crash if IIS not installed now.
Enable SNI for IIS 8. This will cause problems with IE on XP, but can be turned off and won’t be set if there’s an existing https binding.
Always prompt at end of program unless renew. No more disappearing errors when not running from console.
Store certs in “WebHosting” instead of personal.

Switch from letsencrypt-win lib submodule to ACMESharp nuget and latest API.

Removed the letsencrypt-win git submodule
Added references to latest ACMESharp (and related) nuget packages
Updated code to use latest ACMESharp namespaces and new CertProvider interface instead of deprecated CsrHelper
Includes support for auto-swiitching between 32/64-bit cert provider


#49

http-01 doesnt do HTTPS afaik that’s in the spec now iirc because of the default host problembut different ports for acme verification would be nice.


#50

The certificates in the %appdata% folder for IIS worked fine for Apache on Windows also. I simple made use of the KEY and CRT files. However, the certificate still comes up with issues on Mozilla while on IE, EDGE and CHROME its perfect and works fine.

I have had it up for almost 24 hours hoping that Mozilla Firefox gets to see it correctly.
Eitherway, thanks a mil LoneCoder. You’ve done great.


#51

That’s pretty odd. Run https://www.ssllabs.com/ssltest/index.html on it and see if that helps.


#52

Does it work this way ? Can you explain how to process ?

Thanks


#53

I think its requesting for the complete certificate chain. Which of the files in the %appdata% folder is the complete chain cos I can only see one with 5KB


#54

Also, I am getting a prefix hanlding issue. where the WWW.domainname.com is saying its not valid in the certificate provided. However, without the WWW it becomes valid.


#55

Certificate issued by the Lets Encrypt service are bound to specific fully qualified host name (such as as www.example.com) so example.com and www.example.com both need their own certificate issued and therefore https bindings with the correct associated certificate. This can cause big problems for people who are used to having wildcard certificates (*.example.com). On IIS this means using Server Name Indication (SNI) or multiple IP addresses.


#56

you can also use a SAN cert with up to 100 names in it.


#57

Incidentally, for those interested my Windows GUI app for LetsEncrypt (Certify) is now available as a bug packed alpha preview for those who like to live on the bleeding edge: https://webprofusion.com/apps/certify

It’s only really suitable for brave people who don’t mind giving feedback and encountering bugs. Currently only IIS sites are supported and there is already one bug report from someone who can’t get their sites to show up, I also find that it doesn’t always managed to authorize first time. So your mileage may vary!


#58

When I input email address and register, it always show agree term, How I do agree ?
there has not any option for do it.


#59

let’s start. making it portable would be epic.
also I would love a “half-manual” mode where you can specify the domains and all their webroots (and optionally cert/key paths) you want to get for a cert, that way I could get the whole setup from my network (I have my network paths to my PC to the webroots [and other stuff] always ready) that would give people no matter what server they use the ability to use the tool.

for example you could read a file which has line seperated:

domain,webroot [key-path,cert-path]

and it tries to make one cert for all unless a line with only a - appears, that could be a SAN break.


#60

your software still can not normal work in IIS8.5

becasue