Hi! I’ve looked at the getting started guide, and understand that I need to prove I’ve control of my webserver… Apache in my case. However, the Certbot software reports it can only be installed / used in a non-windows environment.
I’m looking for the easiest way to request / obtain / install an SSL certificate on Apache running on Windows Server software.
Does anyone have any recommendations / done this successfully?
I have full control over the server and can even remote desktop in to it if necessary to install software, so that’s no issue.
Also, the http version of the site is currently accessed on a non standard port, am I right in thinking that all HTTPS connections need to be made on port 443… just so I can get the firewall team to put that in place if necessary.
Well, there are several Windows clients available, but i don't have experience using them. (And it's possible some of them integrate with IIS better than Apache.)
You could also use a manual client running in your browser or on another server (such as certbot certonly --manual) but that doesn't usually count as easy.
HTTP-01 and TLS-SNI-01 validation require port 80 or port 443, respectively. (HTTP-01 will also follow redirects to HTTPS.) But you can proceed to use the certificate for web servers (or servers for other protocols) on any port you like.
DNS-01 validation is based on DNS TXT records, so it doesn't require connecting to your web server on any port. (It has to be able to access your DNS servers, of course.)
Thanks for taking the time to reply. I’ll look at that link and failing that will have to go the manual route. I’m assuming the manual route won’t auto update the certificate though! Hummm… how long do they last before I have to do it again? I think I read 60 days… that could be a pain!
Thanks again.
Yeah. With enough work you could automate running a client on a second server that copies the certificate and key files to your Windows server, but that would likely be harder than automating a client on the Windows server itself.
The certificates are valid for 90 days. It's recommended to renew them after only 60 days so that there's time to fix it if automatic renewal fails, and 60 is a nice round number. Someone doing it manually might prefer to cut it closer and renew, say, every 75 days, but that also courts catastrophe if something goes wrong or you forget.
With enough work you could automate running a client on a second server that copies the certificate and key files to your Windows server, but that would likely be harder than automating a client on the Windows server itself.