Using Let’s Encrypt with IIS on Windows

Motivation:

Why use an SSL/TLS certificate to secure your website?

1. To protect your website users from man-in-the-middle attacks.
2. To ensure the integrity of the data being sent to your website.

Why use Let’s Encrypt SSL/TLS certificate?

It's FREE.

Tested environment:

  1. Windows Server 2016/IIS 10
  2. win-acme.v2.0.7.315

Procedure:

  1. Log in a Windows server.
  2. Download lets-encrypt-winsimple client
  3. Unzip the files to C:\inetpub\win-acme.v2.0.7.315
  4. Open cmd.exe as Administrator and cd to C:\inetpub\win-acme.v2.0.7.315
  5. Type wacs.exe and press Enter
  6. Follow the instructions. Please select 5: Manually input host names if you want to secure both naked domain and www domain.
  7. Open Task Scheduler and ensure that a task with description “Check for renewal of ACME certificates.” has been created.
  8. Open Firewall port 443 if needed.
  9. Open the selected site using HTTPS protocol.

Redirecting HTTP to HTTPS in IIS7:

  1. Install the Microsoft URL Rewrite Module if needed.
  2. Make sure Require SSL is NOT checked under SSL Settings for your website.
  3. Copy and paste the following code between the <rules> and </rules> tags in your web.config file in your website root directory.
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

4. Open your site using HTTP protocol and ensure that you are redirected to the HTTPS site.

Multiple SSL Certificates per IP Address

  1. You have to use Server 2012 IIS to support Server Name Indication (SNI) which allows you to bind multiple SSL certificates to a single IP Address.
  2. Please repeat the Procedure for each site, then go to the IIS site, Bindings and ensure that the check box Require Server Name Indication is selected and the corresponding SSL Certificate is selected.
  3. Please be noted that SNI does not work with Windows XP clients.
(Visited 814 times, 1 visits today)

Leave a Reply