How To: Get LetsEncrypt working with IIS manually

Hi everyone, I got this working with IIS and was hoping to assist anyone else by providing some quick instructions on how I got it working for testing.

1. Installed Ubuntu 15.10
2. Installed OpenSSH
3. Installed LetsEncrypt following the instructions from https://letsencrypt.org/howitworks/
4. Ran the following:

cd letsencrypt
./letsencrypt-auto certonly --manual

I received a message like:
Make sure your web server displays the following content at
http://[yourwebsite]/.well-known/acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo before continuing:

HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.CXqynb26ha9fCNmLippZBddXyd4sedgTidV3emtqg8Y

I then went onto our IIS web server and created a new Well-Known application pool running with permissions required and assigned/created a new Web Application named .well-known.

At this point I created a new folder named acme-challenge within the .well-known Web Application directory and within that I produced a HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.txt file containing the value HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.CXqynb26ha9fCNmLippZBddXyd4sedgTidV3emtqg8Y.

After this step I created a URL Rewrite rule in IIS, under the .well-known Web Application.

Your web.config should look similar to:

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <defaultDocument> <files> <add value="/acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo" /> </files> </defaultDocument> <staticContent> <mimeMap fileExtension=".*" mimeType="text/plain" /> </staticContent> <rewrite> <rules> <rule name="wellknown"> <match url="acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo" /> <action type="Rewrite" url="acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.txt" appendQueryString="false" /> </rule> </rules> </rewrite> </system.webServer> </configuration>

Now you can press Enter, which should be a success by authenticating domain control and producing some .pem files for you.

Now cd into your /etc/letsencrypt/live/[domainname] directory and run the following:

openssl pkcs12 -export -out “certificate.pfx” -inkey “privkey.pem” -in “cert.pem” -certfile chain.pem

Grab the certificate.pfx (I used WinSCP) and copy that over to your IIS Server.

Now run mmc and add the Certificates (Computer) snap in. Go to Personal and import the certificate.pfx

Export the Lets Encrypt X1 certificate from the Personal and re-import it under Intermediate Certification Authority.

Bind the certificate in IIS with your website and it should all work nicely.

If you’re on Windows Server 2008 R2 it’ll likely show TLS 1.0, since Windows Server 2008 R2 doesn’t support TLS 1.2.

I know there are some other Windows specific Let’s Encrypt tools out there but I haven’t tried them yet.

The one problem with all of this is the 3 month limit on the certificates, so you have to renew them frequently. If there isn’t a tool out there to automate this yet for Windows users then there will be soon, I’m sure.

You don't need a Linux system unless you really want to run the official reference client. There are some nice community contributed options, including a PowerShell option and a very alpha-state GUI. See List of Client Implementations.

It does, with some registry key changes. If you don't want to mess around there, you can look at IISCrypto, which is a nice GUI for doing the same thing. I'm using it on our older systems with success.

I always get “a specified logon session does not exist” error in IIS when trying to bind :\

At first I tried to direct import the pfx then used you’r method but still no go :s

I used https://github.com/Lone-Coder/letsencrypt-win-simple with the following web.config in the acme-challenge directory to avoid a 404.17 IIS error (‘The requested content appears to be script’) blocking download of the challenge:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

I simply made a virtual directory “.well-known”, as I couln’t make a real directory with a leading dot.
Then I put the challenge in the required subdirectory of .well-known and ran ./letsencrypt-auto certonly --manual and successfully got the keys generated.

I copied the fullchain.pem to the windows
and did the import/export/import as the instructions say.

However, when I try to apply the cert to the website, I get the error
"This certificate has an nonvalid digital signature." on the “Let’s Encrypt Authority X3” cert.

Doh.
If everything else fails, read the manual.

I belived fullchain.pem was the same as the result of
openssl pkcs12 -export -out “certificate.pfx” -inkey “privkey.pem” -in “cert.pem” -certfile chain.pem

It wasn’t.
When I imported the above certificate.pfx. it worked as it should.

You’ve probably figured this out already but I’ll just leave this here in case anyone stumbles upon this and has a problem creating the folder as well…
add a dot at the end too.

.well-known.

That way windows will accept it. the ending dot will be removed by windows so the folder will be accessible as .well-known without the dot at the end.

https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke/