/
SSL/TLS using Let's Encrypt and GoDaddy DNS

SSL/TLS using Let's Encrypt and GoDaddy DNS

Setting up SSL/TLS for Adams Web and Adams Admin

These steps apply to IIS 7 - 10.

Create a DNS Entry

Create a DNS entry for the web server's public IP.  This is the host name.  For example myserver.agency.gov.

Setup a Certificate

Get a certificate from Let's Encrypt using win-acme.  Win-acme is a free program that uses Let's Encrypt to generate a certificate that expires every 90 days, configures IIS with the certificate and automatically renews the certificate.

Download and Prepare win-acme

  1. Download win-acme

  2. Extract the zip

  3. From the win-acme extracted directory open settings_default.json in your favorite text editor

  4. Find PrivateKeyExportable and change the value from false to true

  5. Copy the contents of the extracted directory to a permanent location such as C:\Program Files\win-acme

v2.2.8 of win-acme or later is required

Download the GoDaddy plugin for win-acme

  1. win-acme github releases

  2. Latest release (ex: 2.2.9.1)

  3. Expands Assets

  4. Click “Show all XX assets”

  5. Download the Godaddy plugin zip

  6. Extra the zip to the same directory as win-acme such as C:\Program Files\win-acme

  7. Unblock both all extracted DLLs: PKISharp.WACS.Plugins.ValidationPlugins.Godaddy.dll, Newtonsoft.Json.dll

    1. Properties → General → Unblock

    2. Check the box if it is there

    3. OK

  8. Verify the plugin loads by running .\wacs.exe --verbose from PowerShell

  9. You should see something similar to:

[VERB] Loaded validation plugin GodaddyDnsValidation from C:\Program Files\win-acme\PKISharp.WACS.Plugins.ValidationPlugins.Godaddy.dll

Create GoDaddy API Key

This only needs to be done once per GoDaddy account.

  1. https://developer.godaddy.com/keys

  2. Create New API Key

  3. Name - Ex: ADAMS SaaS

  4. Environment - Production

  5. Next

  6. Store the Key and Secret in a password manager

Create the Certificate from the Command Line

Replace the values in <> and run from an elevated command line.

.\wacs.exe --target manual --host "<SERVER FQDN>" --friendlyname "<SERVER FQDN>" --validation godaddy --apikey "<API KEY>" --apisecret "<API SECRET>" --store certificatestore --certificatestore "My" --installation iis --installationsiteid 1 --emailaddress "<EMAIL ADDRESS>" --accepttos

The output of the above command should end in:

Next renewal due after YYYY/MM/DD
Certificate <MY FQDN> created

Verify

.\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" --verbose

This output should contain:

[VERB] [HTTP] Request completed with status OK

Troubleshooting

If the certificate creation fails, particularly with the following in the output:

[FQDN] Authorization result: invalid

This is likely due to the new DNS record created by win-acme having not yet propagated from the tested Go-Daddy DNS servers to the DNS servers used by Let’s Encrypt. A retry (re-run the command) may work. If not do the following:

  1. Edit C:\Program Files\win-acme\settings.json

  2. Change PreValidateDnsRetryInterval from 30 to 300

  3. Save

  4. Run the wacs.exe command

Create the Certificate Manually

  1. Run wacs.exe with admin privileges from the permanent location

  2. M - Create certificate (full options)

  3. 2 - Manual input

  4. Host: enter the server’s public FQDN (ex: myserver.myorg.com)

  5. Friendly name: enter the server’s public FQDN (ex: myserver.myorg.com) The default name has “[Manual]” which will cause issues.

  6. 4 - Single certificate

  7. 6 - [dns] Create verification records in Godaddy DNS

  8. 1 - Type/paste in console paste in the API Key value

  9. Save to the vault - No

  10. 1 - Type/paste in console paste in the API secret value

  11. Save to the vault - No

  12. 2 - RSA

  13. 4 - Windows Certificate Store (Local Computer)

  14. 2 - [My] - General computer store (for Exchange/RDS)

  15. 5 - No (additional) store steps

  16. 1 - Create or update bindings in IIS

  17. 1 - Default Web Site

  18. 3 - No (additional) installation steps

  19. N - Open in default application

  20. Y - Do you agree with the terms

  21. Enter an email address for notifications about problems and abuse

  22. N - Do you want to specify the user the task will run as

  23. Q - Quit

At this point, the certificate should be in the server's certificate store and an IIS binding for port 443 using the certificate and the host name should have been created. The certificate will be setup to auto renew every 30 days.

The files related to the certificate are under C:\ProgramData\win-acme

Verification

Try to access the website using HTTPS. It should succeed and there should be a lock icon.

Force Renewal - Optional

If you need to force a renewal, such as if settings.json has been changed.

  1. Run wacs.exe with admin privileges from the permanent location

  2. A - Manage renewals

  3. S - Run the renewal (force) This forces the certificate to be re-created with an exportable key

  4. Q - Quit

  5. Q - Quit

Certificate Monitoring

Let’s Encrypt no longer provides certificate monitoring. For public facing servers a 3rd party monitoring tool can be used.

Red Sift | Creating a Fundamentally Safer Internet with Proactive Security has free monitoring for certificates

 

© 2023 Foray, LLC - All Rights Reserved