08 March 2016

Let's Encrypt for use with IIS

There's this great thing going on in the CA world and its called "Let's Encrypt".

Let’s Encrypt is a new Certificate Authority:
It’s freeautomated, and open

That says it all, do you want to encrypt your website, email traffic remote desktop server connections and what have you this is the change to do so, and the best part is it's free.

Okay there's a little catch, it's not really user friendly, well Windows friendly to be exact.

But there's a strong community and the support will get better in time.
For now you have to do it this way, well i did it this way:

Download the Let's Encrypt Windows Tool pre-release here:

https://github.com/Lone-Coder/letsencrypt-win-simple/releases

Extract to a folder and leave it there, the certificate is valid for 90 days max and the tool renews the certificate every 60 days.

Make sure you have a hostheader configured on your IIS website.

Create a the following dir in your webroot, for instance:

C:\Inetpub\wwwroot\Website1

Here you have to create in a command box or Powershell:

".well-known\acme-challenge"

Don't forget the dot in front of well. Windows can't create folder that starts with a dot so do it from commandline.

Then you have to create a web.config file in the acme-challenge folder which contains:

<?xml version="1.0" encoding="UTF-8"?>

<configuration>
  <system.webServer>
    <staticContent>
      <mimeMap fileExtension="." mimeType="text/json" />
    </staticContent>
  </system.webServer>
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</configuration>

After this you go to the IIS manager, go to Server - Sites - Your website - Handler mappings.
Make sure you select "view ordered list" from the right pane.
And move "StaticFile" above ExtensionlessUrlHandler*.

After this you run the Tool and if all goes well, you will have a 3rd party certificate trusted by all common browsers that gives you a green bar or green Lock sign depending on which browser you use.

Every 60 days the certificate is renewed by Scheduled task automatically.

Good luck, and safe browsing :-)

Source 1
Source 2
Source 3
Source 4

No comments:

Post a Comment