Lets Encrypt SSL Cert Question

Hello. I currently have a client that is in need of an SSL certificate. I will give you the background on this.

1. they have their domain name hosted at one ISP
2. the website is hosted elsewhere and the ISP has a pointer record set up to point to the second site provider.
3. they have an on premise app server that the website now needs access to. A SSL certificate is required to do this.
4. the on premise server does not have IIS installed as it is not needed. The server is still running Windows Server 2008 R2.

I need to have the SSL cert bound to the public IP and port number for the server.

Any help or suggestions would be greatly appreciated.

Thanks,
Greg

Hi @ccptbo and welcome to the LE community forum

Windows Server 2008 R2 can work with several Windows ACME clients.
See: ACME Client Implementations - Let's Encrypt (letsencrypt.org)
Which can be configured to run in standalone mode (without IIS) and/or use DNS authentication to obtain an LE cert.
Binding the cert to the public IP and port number (i.e. using the cert), is a function of the app and you would have to read their documentation on how to do so.

Thanks for the reply! i will check into it!

In addition I would advise you not to have Server 2008 R2 connected to the internet as it no longer receives updates by default. If you need extended security you will need to engage with Microsoft to get that enabled: Windows Server 2008 and 2008 R2 extended security updates | Microsoft Docs

Ideally any workload should to be moved to a newer server. In some case you can hide the server behind a proxy so that the front end service is not directly vulnerable but this doesn't prevent all potential hacks etc.

Yes, that is on the current list of projects for the client. COVID kind of put a halt to a lot of things going on LOL.
the server is actually not front facing. all ports are closed and they have 2 site-site vpns running between locations. i am also implementing a new router so that this particular function that they are requesting only comes from 1 IP address. They need the SSL cert for the CYA scenario in case anything were to happen.

Thanks for your reply!

Cool, use DNS validation and either Certify The Web (https://certifytheweb.com - the app I develop, Server 2008 R2 not supported but you might still get it working OK assuming you have .net 4.6.2 or higher, I'm assuming it's SP1) or win-acme.

These apps will provide automatic renewal and deployment to the IIS install on the machine. Other tools are available but don't always know how to configure certs automatically on IIS without extra steps.

Ok so i do need to have IIS installed on the server then. i was told by the software company that is requesting the SSL cert that the SSL needs to be tied to the ip address and the port assignment they want. i asked them if they were using IIS and they said no, their API is running as a service on the server. This is where i got confused.

If you are to use HTTP authentication without --standalone option.
But there may be a way to do both within the ACME client itself (without the need for IIS).

Actually I was wrong to mention IIS because as you stated it's not used here. No those tools don't need IIS and by default they both have a standalone http validation mode (their own temporary web server, but you do need tcp port 80 open for that to work and your app server may need to be temporarily stopped if it uses port 80, depending on what it is). Certify also has a wide range of DNS validation options as an alternative to use http validation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.