Hi,
Our company has a URL: http://www.vaytek.com
We have two IIS servers that support two different sites
What's the best way to manage requesting and maintaining these with win-acme for instance?
I don't know win-acme all that well but Certify the Web is an easy to use ACME client with IIS
A google search has several suggestions on how to handle that. Certify's own forum is also a good way to interact with their dev team
So you mentioned two different IIS servers, that would mean port 6060 is being forwarded to a different machine internally.
Why not just have files.vaytek.com or some other subdomain instead of mapping different ports?
Did you know that IIS on a single machine can host multiple websites? That way port 80 (for http) and port 443 (for https) only need to be forwarded to one machine, or you can forward specific names to specific machines.
If you do decide you definitely need to use the same name for the two different services (it would be useful to know why) then you would need to decide whether the port 6060 service is going to be http or https.
Yes there is a way to share certs between machines, the most popular method on windows is the Centralized Certificate Store (CCS) feature, where you store your PFX files on a UNC share that both web servers can see, the configure IIS to pick up your websites certs from that share. Both win-acme and Certify have methods for deploying to CCS shares with the correct file naming conventions etc.
Note thought that you can technically request the "same" cert on each machine with the same set of domains, the difficulty there is that http validation requires port 80 so you instead need to use DNS validation on at least one of the machines.
OK - Thinking out loud here.
The simplest thing to do is have an SSL certificate for the main website which is really the only one that is used regularly by the general public. The file server site is used by our support staff to send customers download links - the customers never see the "unlocked" icon next to the URL. Still not ideal for a secure connection.
If I want SSL on both sites the next simplest setup is to have two distinct domain names - no subdomain - then one of the sites can use 443 for https and 80 for http validation and my router can figure that out. The other site would use port 6060 for https and do dns validation in order to request and renew.
Ideally a subdomain solution would be best - is there a way to manage that without adding in the CSS to complicate the setup? Could I setup something similar to two distinct domains with domain.com on IIS-1 and subdomain.domain.com on IIS-2?
A subdomain is definitely easier than using two distinct domains. For reference, www.vaytek.com is just a subdomain of vaytek.com and is just the same as an A record in DNS [or a CNAME to vaytek.com]. So creating an A record in dns for files pointing to the IP address of the file server would give you files.vaytek.com (for example).
The absolute easiest setup is to have both websites on the same IIS server (IIS > right-click Sites > Add Website). Then in your http binding for the website you specify the hostname(s) it will match, that's how IIS knows which site to serve up, but if you want to run 2 different IIS servers that's still fine if you just use a different name for each one.
Conventionally vaytkek.com and www.vaytek.com would point to the IP address of your main website server. Then files.vaytek.com can point to the other server (or any name you want to give it).
Thanks for replying - if you haven't noticed I have little experience as a web admin which is why I want to avoid a site migration.
To reflect back on the two server model - the router forwards all requests to the vaytek.com and www.vaytek.com server and if the request is prefixed by the subdomain then IIS can be configured to forward that request to a different server on the LAN. Once I have a subdomain I can test this with http.
Does that mean all the certificate management happens on the main server? Or... do I still need to manage a certificate on the subdomain server?
Yes, if you "reverse proxy" from your main IIS server back to your files server then the main server is the one handling all the https. I haven't used it but I'd guess it's something like this: Setup IIS with URL Rewrite as a reverse proxy for real world apps - Microsoft Community Hub
Regarding routing to the correct server, some web application firewalls can forward conditionally based on the domain name, so you could forward to the correct servers instead of proxying between them.
As an aside, generally you should think twice about hosting publicly accessible websites on your internal office infrastructure unless you've got a professionally setup DMZ/VLAN, as a determined hacker will know more about your OS/web tech than you do and be able to traverse from one of these servers to other points on your network unless they are properly segregated. I noted that some of your website pages are "classic" asp which is tech that dates back almost 30 yrs - this is a red flag in terms of likely security posture for things like SQL injection and directory traversal exploits (unrelated to certificates, but still something to consider).
Thanks again for the reply. I have been trying to get up to speed on IIS and web servers in general over the last few days. One of the things I learned about was the URL Rewrite module in IIS. I used it to force users to HTTPS if they tried HTTP.
I have setup a test server and rented a domain name (very cheap) to explore subdomains and using lets encrypt to install SSL certs. I will learn to use URL rewrite to reverse proxy these practice sites (or not - could be over my head) and then approach my customer about either letting me do that or migrate (regarding your aside) to a professionally managed site.
Now I have been trying out reverse proxy - can't even get to the login page on either website yet. But I haven't finished reading.