How to create SAN using letsencrypt.exe on server2012R2 with IIS


#1

I am looking for what the correct syntax would be using letsencrypt.exe for creating a SAN certificate for the following:

domain.com, www.domain.com, ftp.domain.com, mail.domain.com, webmail.domain.com

I am running Server2012 R2 with IIS.

I’ve had very good results with letsencrypt.exe creating certificates for a single domain.com with a windows task scheduled to renew the certificates.


#2

Certificate for Manual Site SAN (I)

letsencrypt.exe --san

:smiley:


#3

some more details :smiley:


#4

Thanks for your reply.

I’ve been able to use letsencrypt.exe –san and obtain a certificate to domain.com and http://www.domain.com www.domain.com

However, I get errors when I use letsencrypt.exe –san and attempt to get a certificate issued for:

domain.com, http://www.domain.com www.domain.com, mail.domain.com, webmail.domain.com

Note: domain.com and http://www.domain.com www.domain.com are my website and mail.domain.com and webmail.domain.com are for my mail server.

I am guessing the domain.com and http://www.domain.com www.domain.com works because they are bound to the same IIS website.

While webmail.domain.com is a separate IIS website with mail.domain.com is for TLS/SSL for my mail server.

I am able to create a separate cert for webmail.domain.com because it is bound to an IIS website but cannot include mail.domain.com because it is not bound to a website but used only for the mail server.

Jim

Jim Mayfield

“Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote.”

–Benjamin Franklin


#5

Hello,

As far as I understand your situation, I think you won’t receive any “mail.domain.com” certificate because it is not a regular IIS website. So LetEncyptWinSimple is not able to create the necessary verification files in the LetsEncrypt subfolder of the wwwroot.

I encounter the same situation with our mail server and solve it like this:

  • make sure the mail server is not using the default SSL port, but e.g. 451
  • create a IIS site binded to mail.domain.com
  • ask certificate with LetEncyptWinSimple. As it is a real IIS website you will get it.

If your mail server is web based, you could consider place this rewrite rule in your web config

        <rewrite>
        <rules>
			<rule name="LetsEncrypt" stopProcessing="true"> 
				<match url="^\.well-known.*$" /> 
				<action type="None" /> 
			</rule>
			<rule name="Vers https://mail.domain.com:451" patternSyntax="Wildcard" stopProcessing="true">
				<match url="*" />
				<action type="Redirect" url="https://mail.domain.com:451" />
			</rule>
        </rules>
    </rewrite>

So it is really transparent for the users as when they uses mail.domain.com they are automatically redirected to https://mail.domain.com:451

Hope this wil help.

Regards,

Guy


#6

Thanks for your reply.

This solution will resolve my problem.

Thank you again. Appreciate it greatly.

Jim Mayfield

“Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote.”

–Benjamin Franklin


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.