How Letsencrypt work for windows IIS?


#82

I’ve looked on your website and on GitHub but can’t find any information on how to obtain the source code. Is Certify open-source? How is it licensed?


#83

LoanCoder… Is it now possible to get the fullchain.pem file with the other files as this is required for Apache on windows for Mozilla to give trust on full chain.


#84

Hi LoneCoder,

Does this Support SANS? If not, will it?

Thanks
K


#85

If you have full chain issues, simply use https://www.ssllabs.com and you should be able to download the full chain certificate for use.
Used it and my mozilla firewall is fully up and operational without the firewall issues anymore.


#86

If you host on Azure, I’ve put together a step-by-step walk through on how to obtain a Let’s Encrypt certificated for Azure Web Apps.

You can find the post at https://gooroo.io/GoorooTHINK/Article/16420/Lets-Encrypt-Azure-Web-Apps-the-Free-and-Easy-Way/


#87

Just installed downloaded and installed Certify (v0.9.71) to a Windows Server 2012 R2 server. Asked it to create a certificate for one of the sites, and it comes back with a dialogue box saying “Certification was not successful. Certificate not valid or not yet authorized.” The log tab does not show any obvious errors. When I look in the file system, I can see the .well-known/acme-challenge folders under the website, and when I manually browse to the challenge file from another machine I am presented with the contents of the file.

Any suggestions? What am I doing wrong?


#88

Certify still can’t normal work. I had test it.


#89

Hi All,

I have just found out the Letsencrypt certificate on Windows (IIS 8.5) is showing an error:

“Your connection is not secure . . . .” in Firefox 45,46, . . . ??

Chrome is happy as far as I know. Safari is OK too. All on a mac. Chrome is good on windows, I.E is good on Windows. Anybody suffering the same problem?

Thanks in advance folks. Happy to try and troubleshoot further.


#90

Latest firefox would frighten the end user away from visiting the site:

“The owner of [domainNameHere] has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.”

:frowning:


#91

You’re probably running into a problem with IIS serving the wrong intermediate certificate. Try one of the following fixes:



#92

The Lone-Coder/letsencrypt-win-simple v1.9.1 is stable and we’ve tested it successfully on Server 2016, 2012R2, and 2008R2. The Let’s Encrypt certificates are requested, installed and renewed automatically, plus the SAN certificate option is working as well.

We’ve published a video with instructions and demo here:
https://www.netometer.com/blog/?p=1758

Right now we are testing the client with Exchange server, and a video about this is coming as well.


#93

Will this work on Windows 2003 IIS 6.0 ?


#94

Hi Himanshu

I wrote an article on how to do a Windows IIS install “the old school way”. I used zerossl but you can use any client including letsencrypt-win-simple

On older systems I prefer to work with the certificate and private key to get what I want.

I also believe IIS 6.0 doesn’t like certificates that have the intermediate and the certificate in one file (I am not sure if this is how clients print out the certificates or if that is how Lets Encrypt issues them).

You can download and install the intermediate Lets Encrypt Certificates from Here: https://letsencrypt.org/certificates/. I usually use PEM encoded certificates.

Microsoft Also Likes the PFX format for importing certificates (A combination of X509 Cert and Private Key) so I usually generate these with openssl

Article Link: https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke?trk=prof-post


#95

Hello, do you already have the video for Exchange server?
Could you test it?
Thank you.
Andrés.


#96

Working flawlessly- both issuing and installing a new Exchange (multiple domain) certificate and automatically renewing it. Today we’ve completed the last step - had to redo some of the steps to add more scenarios.

Should be published within a day or two. If you need it urgently, I can send you the link to the post-production videos.


#97

No, it’s not urgently, thank you very much for the reply, I’ll be waiting your info after finishing.
Regards,
Andrés.


#98

The video is published - four steps; it took quite awhile to get this done:

Letsencrypt Exchange certificate

We provide as a download the compiled ACMESharp PowerShell module that we are using in demo. Your feedback and questions are more than welcome on the corresponding blog page:

http://www.netometer.com/blog/?p=1777

Regards,

Dean


#99

Hi,

I was struggling to get an ECDSA certificate for my domains on Windows Server and IIS and I found no working solution for that on Windows platform, so I decided to create a simple AMCE client based on ACMESharp and BouncyCastle for that. If anyone would be interesting in that, you can find it at https://github.com/vrbyjimmy/EcdsaAcmeNet
Feel free to use it or take pieces of code to make other ACME clients ECDSA friendly.

Regards,
Jimmy


#100

Hi all,

At home, I run a Windows server with IIS. I am reluctant to leave the port 80 continuously open to the Internet as there are too many scans hitting the server.
So I would like to use port 443 and perform the renewal over https. I have access to the webroot.
I cannot find any option in the program letsencrypt.exe (Let’s Encrypt Simple Windows Client 1.9.1.38228) in order to do so.

Have I missed something ?
Thank you,

Frédéric, Brussels


#101

@f-d-m, for certain policy reasons the webroot-based verification (HTTP-01 challenge type) can only be performed to port 80. The TLS-SNI verification (TLS-SNI-01 challenge type) can only be performed to port 443, but requires a different kind of control over the web server than webroot verification does (because it’s about reconfiguring the certificates that the server uses, not just adding a single file to a webroot).

I don’t know whether the Simple Windows Client supports TLS-SNI-01 challenges or not, but if not, you will not be able to use it to perform validation on port 443.