I am using letsencrypt-win on an IIS 8.5 server. I have two sites on the server, each with their own IP address (using bindings). One has https on the normal port, but the other is on a special port. Neither have port 80 enabled. When letsencrypt runs, it shows two options [DNS] and [IIS] for the site on the normal SSL port, but nothing for the site on the different port.
Is there a way to specify a port for each site? I cannot quite figure out how to get this to show both sites.
I don’t think “other” ports are supported in the authentication mechanism - only 80 and 443.
If either of those ports is reachable to any IP in your system, then you could use a catch-all to handle the .well-known/acme-challenge requests via a common folder.
The trick is (two-part and probably unautomateable) [I think I just made up a word!]
- Getting IIS to see them individually - that requires SNI and separation (like my.server:80 is a distinct site from my.server:8888) letsencrypt-win would see the :80 site but not the :8888 site
- Getting the :8888 site to use the same cert as the :80 site.
An alternate would be to use a different client - one that has figured out how to automate IIS and alternate ports.
Maybe this new PowerScript client can help: WAT - Windows ACME Tool
Can you use the DNS method?
If not you would have to use verification over HTTP.
In this case you must enable a site with port 80 on both IPs.
Also you should take a look on the
--siteid parameter of letsencrypt-win-simple.
He seems to be concerned about not allowing any port 80 access.
Maybe the :80 sites could be turned up just for the validation and then disabled.
And locked down to just a common/public/empty folder.
@rg305 he should set up a separate webroot on port 80 with only the .well-known directory and a default page that serves a 301 redirect to his https version.
I think that would be the simplest solution.
Wow folks - thanks - got to work this morning and it was like opening presents with all these responses!
So is the consensus that even with a redirect to https that having port 80 open will allow it to work properly? If so, that will definitely be the way to go.
Yes, you could leave the port 80 access for authentication and redirect all other traffic to any port you like.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.