Letsencrypt-win-simple and default HTTPS binding


#1

I succeeded in testing IIS 8.5 against the staging (test) CA using letsencrypt-win-simple as the client. This was simpler than I expected, with documentation being sparse and technobabble-heavy. It really was as simple as making sure I had HTTP bindings defined for each host name the server was supposed to respond to, then running the client application and answering a few prompts. The client read the HTTP bindings and created corresponding HTTPS bindings to match.

IIS Manager then complained that there was no default SSL site created. What it meant was there was no HTTPS binding with a blank host header defined, to help browsers that don’t support server name identification.

Do any IIS users here know if this client supports adding a default HTTPS binding using a new or renewed cert? Or maybe I have to script the creation or replacement of a new binding after creating or renewing a cert. The client does not recognize a default HTTP binding as valid for creating a corresponding default HTTPS binding. Maybe I could do a manual SAN cert for the site instead because I have application request routing and URL rewrite installed, but then I’d still have to create or edit a manual binding for the default HTTPS site.

I’d have asked Lone-Coder, but he isn’t easy to reach. While he has a Google+ page, he has no way of messaging him short of posting to his Google+ wall or whatever it’s called.


#2

having a look at the code here: https://github.com/Lone-Coder/letsencrypt-win-simple/blob/master/letsencrypt-win-simple/Plugin/IISPlugin.cs

there is a comment that this parses sites with HTTP and HTTPS bindings.

Andrei


#3

Hello,

I think you speak about the SNI warning given by IIS.
SNI : https://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

This is not a really Letsencrypt related problem but more regarding IIS. In the previous versions of IIS, it was only possible to have one SSL site per server. Now it is possible to have multiple SSL sites but IIS uses the SNI read in the HTTP request to validate the binding. If a user use a VERY old browser, this SNI will not be sent. So IIS won’t be abble to route the request to the correct website. This warning suggests you to create a default SSL website for these kind of requests.

I am convinced you may ignore this message.

Kind regards,

Guy


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.