Windows 2012 IIS in restricted environments


#1

Hey all Letsencryt noob here. I’ve got what i suspect is a painfully unique set of problems and if im wrong in that regard I’d love to know about how i’m wrong :sweat_smile:

Goal: Use Lets Encrypt leveraging a bot to renew certs on a windows 2012, IIS set up.

RoadBumps: Most of these boxes are in dev and are unable to be allowed out of our network for regulatory reasons. So I tried setting up win-acme.v1.9.10.1 to leverage its ability(to my understanding) to use an intermediary iis site(which is allowed out on a different binding *Foobar.Barfoo-dev.com")
M: Create new certificate with advanced options
Which kind of certificate would you like to create?: 1: Single binding of an IIS site
[Picks site wit port 80 binding that cant be outsite mydev1-1-1.foobar-dev.com]
How would you like to validate this certificate?: Create temporary application in IIS
Use different site for validation? (y/n): y
Validation site, must receive requests for all hosts on port 80: [Picks dumby site that is published externally]
Which installer should run for the certificate?: 3: Do not run any installation steps [just trying to get this to the point it will make a cert let alone install it]

The errors I get at this point are about not being browsable on the outsite for the site im trying to renew not the dumby. At this point Im pretty sure I misunderstand the role of the temporary IIS site option or that im using it wrong.
More notes: I’ve also looked at Certify the web but it doesn’t look like it can renew behind the network wall. Does anyone have any suggestions?
We need certs on these boxes for testing https dependencies in dev. At some point in staging these will have access to the outside but it will be behind a basic auth prompt which I suspect will cause similar road blocks.
MoreMore Notes: it looks like this uses acme1 and id need acme2 for wildcards which would be ideal though its not 100% needed as I can have loads of certs for each of these but a program that can do acme2 would be better.
Does anyone have any guidance or suggestions? I’m willing to dig through documentation if needed I just feel like im going about this with some incorrect understandings.


#2

If these servers are normally only internally-accessible, I’m not sure Let’s Encrypt fits your use case. You might want to consider implementing your own internal CA and have a domain policy that installs the CA as as trusted root for your domain PCs.

One option, as long as you have the ability to access external systems and update your zone, is the DNS challenge type. You can also have someone CNAME the _acme-challenge subdomain to somewhere you control, if updating these programmatically is a challenge.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.