$customHeader
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Setting up SSL/TLS for Adams Web and Adams Admin

These steps apply to IIS 7 - 10.

Create a DNS Entry

Create a DNS entry for the web server's public IP.  This is the host name.  For example myserver.agency.gov.

Open Port 80

In IIS, create a binding for port 80 and the host name from the DNS entry.

  1. Select the Default Web Site node

  2. Select Bindings... in the Actions pane

  3. Select Add

    1. Type - http

    2. IP Address - All Unassigned

    3. Port - 80

    4. Host name - name from the DNS entry

    5. Select OK

  4. Select Close

  5. Select Restart in the Actions pane

In the firewall, make sure that port 80 and 443 are open to all IPs (World Wide Web Services… firewall rules). 

These are needed to get the original certificate and for it to be renewed.

Verify IIS Can be Reached

Open http://myserver.agency.gov from both within the VM and also from outside the network. Verify that the default IIS page is displayed indicating that IIS is reachable.

If either test fails check firewall settings, VM Networking rules (for Azure), and anything else that could be blocking requests.

Setup a Certificate

Get a certificate from Let's Encrypt using win-acme.  Win-acme is a free program that uses Let's Encrypt to generate a certificate that expires every 90 days, configures IIS with the certificate and automatically renews the certificate.

  1. Download win-acme

  2. Extra the zip

  3. Run wacs.exe with admin privileges

  4. M - Create certificate (full options)

  5. 2 - Manual input

  6. Enter the server’s public FQDN (ex: myserver.myorg.com)

  7. <Enter> - accept the server’s FQDN as the friendly name

  8. 4 - Single certificate

  9. 2 - [http] Serve verification files from memory

  10. 2 - RSA

  11. 4 - Windows Certificate Store (Local Computer)

  12. 2 - [My] - General computer store (for Exchange/RDS)

  13. 5 - No (additional) store steps

  14. 1 - Create or update bindings in IIS

  15. 1 - Default Web Site

  16. 3 - No (additional) installation steps

  17. N - Open in default application

  18. Y - Do you agree with the terms

  19. Enter an email address for notifications about problems and abuse

  20. N - Do you want to specify the user the task will run as

  21. Q - Quit

At this point, the certificate should be in the server's certificate store and an IIS binding for port 443 using the certificate and the host name should have been created. The certificate will be setup to auto renew every 30 days.

The files related to the certificate are under C:\ProgramData\win-acme

Verification

Try to access the website using HTTPS. It should succeed and there should be a lock icon.



  • No labels
$customFooter