SSL/TLS using Let's Encrypt

Owned by Mont Rothstein
Last updated: Mar 05, 2024
2 min read

Setting up SSL/TLS for Adams Web and Adams Admin

These steps apply to IIS 7 - 10.

Create a DNS Entry

Create a DNS entry for the web server's public IP.  This is the host name.  For example myserver.agency.gov.

Open Port 80

In IIS, create a binding for port 80 and the host name from the DNS entry.

  1. Select the Default Web Site node

  2. Select Bindings... in the Actions pane

  3. Select Add

    1. Type - http

    2. IP Address - All Unassigned

    3. Port - 80

    4. Host name - name from the DNS entry

    5. Select OK

  4. Select Close

  5. Select Restart in the Actions pane

In the firewall, make sure that port 80 and 443 are open to all IPs (World Wide Web Services… firewall rules). 

These are needed to get the original certificate and for it to be renewed.

Verify IIS Can be Reached

Open http://myserver.agency.gov from both within the VM and also from outside the network. Verify that the default IIS page is displayed indicating that IIS is reachable.

If either test fails check firewall settings, VM Networking rules (for Azure), and anything else that could be blocking requests.

Setup a Certificate

Get a certificate from Let's Encrypt using win-acme.  Win-acme is a free program that uses Let's Encrypt to generate a certificate that expires every 90 days, configures IIS with the certificate and automatically renews the certificate.

Download and Prepare win-acme

  1. Download win-acme

  2. Extra the zip

  3. From the win-acme extracted directory open settings_default.json in your favorite text editor

  4. Find PrivateKeyExportable and change the value from false to true

  5. Copy the contents of the extracted directory to a permanent location such as C:\Program Files\win-acme

v2.2.8 of win-acme or later is required

Create the Certificate

  1. Run wacs.exe with admin privileges from the permanent location

  2. M - Create certificate (full options)

  3. 2 - Manual input

  4. Enter the server’s public FQDN (ex: myserver.myorg.com)

  5. Friendly name: Enter the server’s public FQDN (ex: myserver.myorg.com) The default name has “[Manual]” which will cause issues.

  6. 4 - Single certificate

  7. 2 - [http] Serve verification files from memory

  8. 2 - RSA

  9. 4 - Windows Certificate Store (Local Computer)

  10. 2 - [My] - General computer store (for Exchange/RDS)

  11. 5 - No (additional) store steps

  12. 1 - Create or update bindings in IIS

  13. 1 - Default Web Site

  14. 3 - No (additional) installation steps

  15. N - Open in default application

  16. Y - Do you agree with the terms

  17. Enter an email address for notifications about problems and abuse

  18. N - Do you want to specify the user the task will run as

  19. Q - Quit

At this point, the certificate should be in the server's certificate store and an IIS binding for port 443 using the certificate and the host name should have been created. The certificate will be setup to auto renew every 30 days.

The files related to the certificate are under C:\ProgramData\win-acme

Verification

Try to access the website using HTTPS. It should succeed and there should be a lock icon.

Force Renewal - Optional

If you need to force a renewal, such as if settings.json has been changed.

  1. Run wacs.exe with admin privileges from the permanent location

  2. A - Manage renewals

  3. S - Run the renewal (force) This forces the certificate to be re-created with an exportable key

  4. Q - Quit

  5. Q - Quit

 

© 2023 Foray, LLC - All Rights Reserved