SSL/TLS using Let's Encrypt
Setting up SSL/TLS for Adams Web and Adams Admin
These steps apply to IIS 7 - 10.
Create a DNS Entry
Create a DNS entry for the web server's public IP. This is the host name. For example myserver.agency.gov
.
Open Port 80
In IIS, create a binding for port 80 and the host name from the DNS entry.
Select the Default Web Site node
Select Bindings... in the Actions pane
Select Add
Type - http
IP Address - All Unassigned
Port - 80
Host name - name from the DNS entry
Select OK
Select Close
Select Restart in the Actions pane
In the firewall, make sure that port 80 and 443 are open to all IPs (World Wide Web Services… firewall rules).
These are needed to get the original certificate and for it to be renewed.
Verify IIS Can be Reached
Open http://myserver.agency.gov from both within the VM and also from outside the network. Verify that the default IIS page is displayed indicating that IIS is reachable.
If either test fails check firewall settings, VM Networking rules (for Azure), and anything else that could be blocking requests.
Setup a Certificate
Get a certificate from Let's Encrypt using win-acme. Win-acme is a free program that uses Let's Encrypt to generate a certificate that expires every 90 days, configures IIS with the certificate and automatically renews the certificate.
Download and Prepare win-acme
Download win-acme
Extra the zip
From the win-acme extracted directory open
settings_default.json
in your favorite text editorFind
PrivateKeyExportable
and change the value from false to trueCopy the contents of the extracted directory to a permanent location such as
C:\Program Files\win-acme
v2.2.8 of win-acme or later is required
Create the Certificate
Run wacs.exe with admin privileges from the permanent location
M - Create certificate (full options)
2 - Manual input
Enter the server’s public FQDN (ex: myserver.myorg.com)
Friendly name: Enter the server’s public FQDN (ex: myserver.myorg.com) The default name has “[Manual]” which will cause issues.
4 - Single certificate
2 - [http] Serve verification files from memory
2 - RSA
4 - Windows Certificate Store (Local Computer)
2 - [My] - General computer store (for Exchange/RDS)
5 - No (additional) store steps
1 - Create or update bindings in IIS
1 - Default Web Site
3 - No (additional) installation steps
N - Open in default application
Y - Do you agree with the terms
Enter an email address for notifications about problems and abuse
N - Do you want to specify the user the task will run as
Q - Quit
At this point, the certificate should be in the server's certificate store and an IIS binding for port 443 using the certificate and the host name should have been created. The certificate will be setup to auto renew every 30 days.
The files related to the certificate are under C:\ProgramData\win-acme
Verification
Try to access the website using HTTPS. It should succeed and there should be a lock icon.
Force Renewal - Optional
If you need to force a renewal, such as if settings.json
has been changed.
Run wacs.exe with admin privileges from the permanent location
A - Manage renewals
S - Run the renewal (force) This forces the certificate to be re-created with an exportable key
Q - Quit
Q - Quit
© 2023 Foray, LLC - All Rights Reserved