Setting up LetsEnccrypt on IIS 6.x Windows Server 2003


#1

I’m behind an ISA Proxy Server which makes using let’s encrypt’s automatic tools problematic. Also still running Win2003 Server until I can get the time together to move to a new Win2016 Server - so I can’t run any of the other letsencrypt .NET tools which require CLR 4.5 (only CLR 4.0 is supported on Win2003).

  1. Can I use gethttpsforfree.com with MIcrosoft’s IIS?

  2. Do I have to generate the public keys using openssl on the Win2003 server where the Cert wil go, or can I generate them using another computer?

  3. Can I use the CSR generated from IIS, or must this all be generated from openssl?

Shame there’s not a semi-automated way to do this with letsencrypt.org, much like I’d been doing with Godaddy (show I control the site with DNS or by putting a file on the web site, submit the CSR, get back a cert with any intermediate certs, install them. Not very complicated actually. I wouldn’t mind doing that every 3 months until I moved to 2016?

Thanks!


#2
  1. Yes - review this article https://www.linkedin.com/pulse/lets-encrypt-part-2-3-repurposing-clients-making-things-andrei-hawke

  2. You don’t have to do anything - however there are easy ways of doing things and hard ways. Review the article above.

  3. I would recommend not using the CSRs from microsoft as they tend to have a whole of extra fields and properties which are specific for microsoft.

Shame there’s not a semi-automated way to do this with letsencrypt.org, much like I’d been doing with Godaddy (show I control the site with DNS or by putting a file on the web site, submit the CSR, get back a cert with any intermediate certs, install them. Not very complicated actually. I wouldn’t mind doing that every 3 months until I moved to 2016?

That is exactly how some of the clients work.

Review these clients:


Andrei


#3

Andrei - the zerossl.com looks very useful!!! I figured I would try to use the ‘FREE SSL Certificate Wizard’ to test things and ran into two issues (that I think have to do with letsencrypt.org).

  1. I couldn’t use the HTTP verification because it looks for a filename without an extension - and IIS on Win2003 won’t do that. I tried adding a MIME type of text with ‘.’, but that didn’t work.

Oddly enough, I’ve used HTTP verification with Godaddy before, and it looks for a file with the .html extension. It would be great if letsencrypt tried looking for the file name with an .html extension if it fails to find the file without any extension?

  1. Using DNS didn’t work for me either. It initially complained that it couldn’t find the TXT record - which was strange as the DNS server is setting right next to me.

Possibly it was pulling the TXT from one of the secondary DNS servers at EasyDNS - which take a few hours to re-load any new changes?

But, I then thought, what if the code in the browser is talking to my internal DNS (I use a split DNS on BIND), and there was no TXT record added to my internal DNS.

So, I added the TXT to the internal DNS and instead of saying it couldn’t find it, I got a new error 'Unexpected error[code 400] status: Unable to update challenge:: response that does not complete challenge.

Not sure what that could be - as now the TXT record is on the public and my private DNS and nslookup -q=TXT _acme-challenge.mydomain.com gives me the TXT record when run locally or from a computer outside my network 30 miles away.

So, I’m dead in the water at the moment, on a stage that should be trivial to accomplish.

Any ideas? Thanks!!!


#4

review https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke

also now would be the time to provide details like what version of IIS you are using etc

Some of this may be limited by your technology setup.

If you let us know what your domain name is we can also check the DNS setup.

Boulder (LetsEncrypt Server Software) chooses a random DNS server so you need to make sure that if you have multiple DNS servers the records propogate

Also note: we are talking about DNS servers used by the wider internet not your internal DNS servers

Andrei


#5

Andrei - this is a Windows 2003 Server that runs IIS6.

The domain name I added my DNS entry for is computerdatabase.com.

I waited until dnsstuff.com’ DNSreport showed that all the DNS servers had the same version number before I hit the ‘Next’ button the last time - but that certainly might explain why it failed initially, but not why it failed the last time I tried.

When I said I have a ‘split’ BIND DNS server, I mean that the same DNS server provides my internal network’s DNS as well as the external (Internet) DNS (each has completely separate zone files).

The browser (when run from inside my network) will use my Internal local DNS setup on BIND.

Possibly this creates an issue when the DNS records that it sees don’t entirely match the ones that the letsencrypt servers would see (even after the secondary DNS servers sync up). Maybe the solution is for me to run the browser on a machine outside my network?

But, as DNS will take several hours to propagate to my secondary DNS servers, I would obviously prefer to be able to validate using HTTP with a single file - and somehow get around needing IIS6 to server up a text file with no extension. At the very least, using a text file with no extension is going to require some very tricky changes on a Microsoft IIS - so hopefully letsencrypt will also be able to look for a .html file in the future like Godaddy does?

Possibly letsencrypt could also use the authoritative DNS server instead of a secondary?

Thanks for your help - I really appreciate it!


#6

BTW - as your great linkedin page suggests, I’d already setup the MIME “.” application/text. That doesn’t seem to work for IIS6 unfortunately.


#7

I think this is very unlikely. The current behavior was the result of a long discussion and standardization effort.

If you’d like to tell us your domain name, someone may be able to look at how you set up the DNS record for the DNS-01 challenge.


#8

Hi Seth! It’s computerdatabase.com. Thanks!


#9

Could you quote the exact error that you got about the inability to find the TXT record?


#10

'Unexpected error[code 400] status: Unable to update challenge:: response that does not complete challenge.


#11

Can you try one more time and then we could ask @cpu to look at the logs if it doesn’t complete?


#12

Also, maybe we should ask the developers of the web-based clients to add some code to diagnose failed challenges from their point of view (maybe they would be in a position to try to verify the challenges as well, and indicate to the user what they think went wrong).


#13

come on bud - a quick google of “IIS6 server files with no extension”

revealed: http://www.serverintellect.com/support/iis/enable-no-extensions/


#14

you also have 4 DNS servers

running a txt query for the challenge gives the results below

As they are all serving the same record my suspicion is that the chllanege record is wrong. I have not seen challenges that start with - before @schoen - have you?


#15

I was able to get the HTTP verification working by adding the MIME type I added yesterday, but had to restart IIS even though I’d checked the ‘enable direct metabase edit - allows you to edit IIS metabase configuration file while IIS is running’

So, my mistake with HTTP verification.

However, I’m running into a strange problem.

Firefox won’t let me view the site in https, and says it’s not configured properly. When I installed the cert and the intermediate cert, I got no errors.

If I run:
https://www.sslshopper.com/ssl-checker.html#hostname=computerdatabase.com

it shows no errors. The cert and intermediate cert are valid.

if I run:
https://www.sslshopper.com/ssl-checker.html#hostname=www.computerdatabase.com

if says “None of the common names in the certificate match the name that was entered (www.computerdatabase.com). You may receive an error when accessing this site in a web browser.”

My steps to create the cert were:

  1. from IIS6 - created a new cert with 4096 length.
  2. put organization www.computerdatabase.com
  3. put common name computerdatabase.com
  4. generated the cert request
    5 pasted into FREE SSL Certificate Wizard at https://zerossl.com/free-ssl/
  5. HTTP verify
  6. broke up the returning cert into 2 files
  7. imported the cert into IIS6 (all was good)
  8. imported letsencrypt intermediate cert into Intermediate Certificate Authorities
  9. Did some setup in ISA Server (created a listener for SSL)

Obviously, I’ve made some small critical error, as the SSL checker shows the cert and the intermediate cert? I can’t even view the site in http now? Ahhh!

Thanks for everyone’s patience - I probably shouldn’t work on things like this when I’m sick.


#16

I believe that someone previously complained about the way that challenge filenames (in HTTP-01 challenges) can start with a hyphen, which can confuse some software that expects filenames to begin with an alphanumeric character. I think the version of base64 used by ACME can produce challenge strings that can start with a hyphen so I don’t think that’s an indication that this challenge valud is incorrect.


#17

I use EasyDNS for secondary DNS and also a backup mail spool. Kind of a nice feature, especially the mail spool as if I’m down due to a hardware or internet issue, my incoming mail will be cached for 5 days.


#18

hi @sslWannabe

This was a statement of fact not anything else

what i am saying is the challenge should pass as all your DNS servers are serving the same TXT records

What client did you end up using


#19

The FREE SSL Certificate Wizard at https://zerossl.com/free-ssl/

I outlined my steps in a msg about 4 messages above.


#20

there is a very good reason why zerossl asks the question below

You should be able to figure it out from here

Andrei