Using RDP with a Let's Encrypt Cert Win 10

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
c-73-146-236-158.hsd1.in.comcast.net
I ran this command:
.\wacs.exe
It produced this output:
Validation failure
My web server is (include version):
RDP
The operating system my web server runs on is (include version):
Windows 10
My hosting provider, if applicable, is:
Comcast
I can login to a root shell on my machine (yes or no, or I don't know):
Yes (admin)
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
win-acme 2.1.18

Hi Support,

I have experience with using certificates in a Linux environment but not in Windows. I ran into an issue helping my wife at her store where the PCI security scan failed because by default the certificate for RDP is self signed. Looking around on Stack Exchange I see that a Let's Encrypt cert should work. So my question is whether it is possible to obtain a Let's Encrypt cert with the network setup at my wife's business. I have turned off the RDP port until I can sort this out.

At the business we are running a Windows 10 Pro PC behind a cable modem using an assigned DHCP address belonging to Comcast. The DNS address is fixed but not precisely a static. The modem is set to forward RDP session requests to the PC. The PC uses a 10 network address setup by the cable modem. We don't run IIS or Windows Server on the PC. I am using the win-acme.exe client and the validation step fails presumably because my wife's business does not own the DNS address. Under these circumstances is it possible to use a Let's Encrypt certificate with RDP? If not do you have any recommendations?

Thanks greatly in advance for any help and apologies if I missed a relevant support article.

Fred

I know you're probably not looking for larger security advice, but I would be remiss if I didn't recommend you stop exposing that PC directly to the Internet using RDP, particularly if it's business critical or has customer data on it. If you absolutely need remote GUI access to the machine, use something like AnyDesk that supports two-factor authentication and doesn't require a port forward on your router.

That said, there are a number of ways you should be able to get a cert for this machine. And while you can likely get one using the comcast hostname (unless Comcast has published a CAA record preventing it), you probably don't want to because the name appears to be tied to the IP which will inevitably change over time.

You didn't specify what options you used with win-acme, but if it was using HTTP validation with a self-hosted web server, validation probably failed because you need to setup another port forward on your router for HTTP port 80.

As far as the name is concerned, does your NAT router support any dynamic DNS services? That would probably be an easier way to get a stable hostname. The other option is to purchase a domain and script your own dynamic DNS update which also then allows you to use DNS validation instead of HTTP validation.

1 Like

Thanks! Using AnyDesk is a good idea. I am protecting RDP with Duo but I probably do need to rethink what I am doing.

I will try your other suggestions mainly out of curiosity.

Thanks again for your welcome security advice...

Fred

1 Like

Nice. Duo is great! I use it myself. As long as you've got 2FA going, that's mostly what matters.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.