SAN cert for all bindings of multiple IIS sites


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: globalparts.aero

I ran this command: letsencrypt.exe (from letsencrypt-win-simple)

It produced this output: (list of options N … Q)

My web server is (include version): IIS 10.0

The operating system my web server runs on is (include version): Windows Server 2016 Datacenter

My hosting provider, if applicable, is: self-hosting

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

We host multiple *.globalparts.aero websites in IIS 10.0. We currently employ a DigiCert wildcard certificate for all of them. Single IP address, same ports for all sites. Host header determines which site viewer is served. I want to transition to using Let’s Encrypt certs for all sites. Using the letsencrypt-win-simple utility I am assuming that I need to select option “N: create new certificate” and “3: SAN certificate for all bindings of multiple IIS sites” but before I do this I want to verify that I am choosing the correct option. I’d like the utility to update the cert on all of the globalparts.aero sites that we host. I can do this one at a time if necessary, there’s just several different sites to update so I thought why not save some time and update them all at once.

I am so sorry for the n00b question but can someone please verify for me if that is the correct option for my desired results? I’ve been searching for hours to find the answer and haven’t found a complete answer yet. Since I have never done this before I am hesitant to “just do it” like Nike.

We do have good Veeam backups of the server so even if I do break it we can restore the full VM from backup.

Again, so sorry for a stupid question. Please advise.

Thank you!


#2

Figured out my solution using letsencrypt-win-simple. Used options N then 2 to create certs for each individual site, which worked better than option 3 (SAN cert for multiple sites).

Now to figure out how to mark this question as Solved …


#3

I’m about to install this on 2 DNN installations with multiple portals. By ‘using options N then 2 to create certs for each individual site’, do you mean you have separate IPs for each site, or does this detect and install the cert for all the portals?

Thanks in advance.


#4

I should amend my response. After doing what I did I found out that each time I created a new cert for individual sites it was switching the cert used for sites I had previously configured. In the end I’m using one wildcard-style cert for all of the sites and it works fine. So if you have foo.bar.com, foo1.bar.com and foo2.bar.com, setup one cert for bar.com and use it for all of the individual sites.