Let’s Encrypt SSL/TLS Certificates for IIS

The number of websites embracing Transport Layer Security (TLS) is increasing. It’s more commonly known by its previous name, Secure Sockets Layer (SSL).  The green padlock in our browsers Green Browser Padlockgives us comfort that the connection between browser and web server is encrypted.  But why should websites bother, if we’re not handling bank or credit card details?  There are a few good reasons – the use of public encrypted wifi in public spaces allows anyone else on that network to sniff what you’re up to.  Malicious tools such as the WiFi Pineapple are frankly terrifying when you see that they can pretend to be a network that your device already trusts.

If you’re a user of a public wifi service, such as Virgin Media WiFi on the London Underground, the first time you visit a non-TLS website, your request is intercepted and redirected to a splash screen. TLS websites go straight through.

Another reason if you’re running a site?  Google allegedly boosts your search results if your website implements TLS vs those that are unencrypted.

So, TLS is a good idea.  But for a long time, it was expensive to get a certificate.  It’s getting cheaper – ssls.com from Namecheap offers certificates for $4.99.  Comodo offer free a free 90 day certificate, but will only issue it once.  GoDaddy offer expensive certificates that are heavily discounted for the first year, but sting you in year two.

Let’s Encrypt is a new SSL/TLS certificate authority.  They’ve got some big name sponsors including Facebook, Akamai, Cisco and Automattic (who make WordPress). They offer a service where you generate yourself a TLS certificate using a Python app that is valid for 90 days.  The idea is that short-life certificates are less likely to be compromised over time.  If you’re running on Linux, Let’s Encrypt can request a new certificate on a regular basis (Let’s Encrypt suggest running this automatically every 60 days).  If it’s automated and regular, it’s less likely to fail than a manual process that is installed by hand every 2 years (or more likely, forgotten after 2 years, and hurriedly renewed).

I run a Windows web server running IIS, but I’d still like to generate TLS certificates using Let’s Encrypt – I’ll just need to put in a diary entry for every quarter.  I’m sure that Windows clients will arrive eventually, but for now, let’s generate on Linux – in my case, a Raspberry Pi.  Here’s what to run on your Pi command line to clone the latest copy of Let’s Encrypt from GitHub, and then request a manual certificate:

The first stage Updating letsencrypt and virtual environment dependancies can take a couple of minutes.

If it’s the first time you’ve run, you’ll be asked for your email address.

Next, enter the domain names you’d like a certificate for.  You can enter up to 100 domains comma separated, all to be issued in the same certificate. An example might be domain.com,www.domain.com,mail.domain.com,domain.net.

The next step is the authentication process – to ensure we own those domains, we’re asked to place a file in a particular location, http://domain.com/.well-known/acme-challenge/filename.

Let's encrypt console with filename

We’ll need to create those text files and place in .well-known/acme-challenge with the right filename.  If multiple domains were specified in the list, you’ll need to do this multiple times.

The challenge files that are generated don’t have an extension, and for security IIS won’t serve those files.  We need a web.config file in the .well-known/acme-challenge folder to specify that files with no extension are safe to be served as text files:

Success – if we have authenticated correctly, our certificates are generated in /etc/letsencrypt/live/domain.com/fullchain.pem.

Normal users don’t have permissions to that folder, so to have a look inside we’ll need to use sudo ls /etc/letsencrypt/live/domain.com/

Inside we see cert.pem, chain.pem, fullchain.pem, privkey.pem. These are great if we’re running Apache or nginx, but for an IIS server we need to create a .pfx file. To do this, we need to:

When this runs, you’ll be asked to choose a password to secure the pfx file, and confirm it.

We run this using sudo as we need to be able to access the files in /etc/letsencrypt.  domain.com.pfx is generated – We can use WinSCP to copy the pfx file to your windows desktop.  Use remote desktop to your windows server, and copy-and-paste your pfx certificate to a folder on your server.  Open IIS Manager, and select your server name. Scroll down and open Server Certificates. Choose Import on the right hand side.  Browse to the pfx file you copied to the server, and enter the password you chose above.  You’ll see the certificate in the list.  Go back to IIS Manager, and expand the list of sites. Choose the site to be secured, and choose Bindings on the right hand side. If you’ve not got https already listed, click Add, otherwise choose edit. If type is set to https, at the bottom a list of certificates to choose from will appear.  Choose the certificate you imported, and apply.

Note that Server 2008 R2 can only bind one certificate per IP address.  Using one certificate with multiple domains (as above) is one way around this. Your web host may support adding an extra IP where possible.  If you’re running Server 2012 or later, IIS supports SNI (Server Name Indication) which allows multiple certificates on a single IP address.

Visit https://yourdomain.com and enjoy the green padlock goodness. Well, for 90 days, until the process is repeated.

 

One thought on “Let’s Encrypt SSL/TLS Certificates for IIS

  1. After turning on TLS for the first time in IIS, you’ll want to run a tools such as https://www.ssllabs.com/ssltest/ to see if you’ve got any configuration issues (ensuring you tick Do Not Show Results). To improve your score, run the Powershell Script from https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 to mitigate POODLE attacks. The highest rating IIS can achieve is a A. For an A+ rating, you will need to specify https only using a 6month+ HSTS header.

Leave a Reply