Hi everyone, I got this working with IIS and was hoping to assist anyone else by providing some quick instructions on how I got it working for testing.
- Installed Ubuntu 15.10
- Installed OpenSSH
- Installed LetsEncrypt following the instructions from https://letsencrypt.org/howitworks/
- Ran the following:
./letsencrypt-auto certonly --manual
I received a message like:
Make sure your web server displays the following content at
http://[yourwebsite]/.well-known/acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo before continuing:
I then went onto our IIS web server and created a new Well-Known application pool running with permissions required and assigned/created a new Web Application named .well-known.
At this point I created a new folder named acme-challenge within the .well-known Web Application directory and within that I produced a HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.txt file containing the value HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.CXqynb26ha9fCNmLippZBddXyd4sedgTidV3emtqg8Y.
After this step I created a URL Rewrite rule in IIS, under the .well-known Web Application.
Your web.config should look similar to:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <defaultDocument> <files> <add value="/acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo" /> </files> </defaultDocument> <staticContent> <mimeMap fileExtension=".*" mimeType="text/plain" /> </staticContent> <rewrite> <rules> <rule name="wellknown"> <match url="acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo" /> <action type="Rewrite" url="acme-challenge/HkPoBSOjcSuNmBe39EY7_J25v84nSWYSlrng7D-xtQo.txt" appendQueryString="false" /> </rule> </rules> </rewrite> </system.webServer> </configuration>
Now you can press Enter, which should be a success by authenticating domain control and producing some .pem files for you.
Now cd into your /etc/letsencrypt/live/[domainname] directory and run the following:
openssl pkcs12 -export -out “certificate.pfx” -inkey “privkey.pem” -in “cert.pem” -certfile chain.pem
Grab the certificate.pfx (I used WinSCP) and copy that over to your IIS Server.
Now run mmc and add the Certificates (Computer) snap in. Go to Personal and import the certificate.pfx
Export the Lets Encrypt X1 certificate from the Personal and re-import it under Intermediate Certification Authority.
Bind the certificate in IIS with your website and it should all work nicely.
If you’re on Windows Server 2008 R2 it’ll likely show TLS 1.0, since Windows Server 2008 R2 doesn’t support TLS 1.2.
I know there are some other Windows specific Let’s Encrypt tools out there but I haven’t tried them yet.
The one problem with all of this is the 3 month limit on the certificates, so you have to renew them frequently. If there isn’t a tool out there to automate this yet for Windows users then there will be soon, I’m sure.