Recipe for Let’s Encrypt on Windows 2008 IIS Web Server

windowsserverThis post is part of a series about my experiences moving our library servers and services to Let’s Encrypt for TSL/HTTPS certificates.  This  recipe will be describing how I installed certificates from Let’s Encrypt on a Windows 2008 IIS Web server that hosts two web applications.

  • A Web interface to an Inmagic database for Arctic Health Literature.
  • A search engine powered by DTSearch for the Arctic Health website.

These web applications provide content which is embedded into an external website called Arctic Health which recently moved to HTTPS.  Thus the web applications need to move to HTTPS to avoid insecure-content warnings or blocks.

letsencryptLet’s Encrypt provides both certificates and certbot, a client that makes installing and renewing the certificates as painless as possible for a number of Web servers and operating systems.  Unfortunately, certbot is not available for Windows so we will have to use one of the many many alternative clients.  I selected lets-encrypt-winsimple which does not have as many options as some other clients but is straight forward to use.  If you have a complex IIS server configuration you may want to select a different client.

Get the Client Application

Lets-encrypt-winsimple requires that you have .net framework 4.5 installed.  Our web applications are old and use .net frameworks 2.0.  Luckily you can run multiple versions of .net on the same server without issues.  Lets-encrypt-winsimple scans your IIS server for binds to determine the domain name.  We don’t have a bind for the domain name so we will need to create one.

  • Download and install .net framework 4.5.
Go to https://www.microsoft.com/en-us/download/details.aspx?id=30653
Choose the Download button
Choose the Run button
Make a cup of coffee
  • Add bind for default website in IIS for http to hostname web2.uaa.alaska.edu.
Under Administrative Tools, choose IIS Manager console
Open Internet Information Services (IIS) Manager
In the Connections pane, right click on the Default Web Site
Choose Edit Bindings
    Note: there is already a default binding (http 80 *) that we will leave in place 
    so that access to the server via IP address will still work.
Choose Add and create an additional binding
    Type:http
    Port:80
    IP address:All Unassigned
    Host name: web2.uaa.alaska.edu
  • Download the lets-encrypt-winsimple client
Download command line client letsencrypt-win-simple.v1.9.0
Go to https://github.com/Lone-Coder/letsencrypt-win-simple
Choose Clone or Download button
Choose Download Zip
Unzip the downloaded letsencrypt-win-simple.v1.9.0.zip
Move the letsencrypt-win-simple.v1.9.0 folder to where you want it to live
     In my case I am putting it into the current user folder C:\Users\Admin.

Install Certificates

Lets-encrypt-winsimple is a ACME client built in .net that performs a several tasks:

  • scans IIS bindings for host names;
  • connects to the Let’s Encrypt certificate authority to request certificates;
  • imports the certificate files into the Windows certificate store;
  • creates or update an https binding in IIS;
  • creates a task in Windows Task Schedule that will run each morning and update the certificates automatically every 60 days.

The client is a command line interface and there are a number of available options.

  • Run the lets-encrypt-winsimple client  to install certificates for the domain names defined in IIS (in this case only one, web2.uaa.alaska.edu).
Open a command prompt as administrator
C:\Users\Admin> cd letsencrypt-win-simple v1.9.0
C:\Users\Admin\letsencrypt-win-simple.v1.9.0> letsencrypt.exe
  • Screenshot - 06162016 - 02:03:23 PMAnswer the questions the client will ask and wait for it to finish.
Email address? 
     I put in my email address
Agree to Let's Encrypt terms of registration? 
     Y 
Which hosts do you want to get certificates for? 
     A for all hosts
Install certificates in Windows Certificate store? 
     Y
Add certificates to server software? 
     Y
Schedule automatic renewals? 
     Y
Specify user? 
     Y
Username? 
     admin
Password? 
     wouldn't you like to know
  • Screenshot - 06162016 - 02:57:36 PMTest the certificates to make sure they are installed correctly for each domain.
https://www.ssllabs.com/ssltest/analyze.html?d=web2.uaa.alaska.edu&latest

That’s it, our Web server is now using free HTTPS certificates issued by Let’s Encrypt.  It imported the certificates into the Windows certificate store and created a binding in IIS for https port 443 for host web2.uaa.alaska.edu.

We can now tell the folks managing the Arctic Health website to start using https://web2.uaa.alaks.edu instead of http://137.229.184.12 for embedded content.

Note: When I first ran the ssllabs test, the grade was an F because of the default settings for protocols and ciphers in IIS on Windows 2008.  I used a free, easy-to-use tool called IIS Crypto to tighten things up to a C rating.  Windows 2008 can not get a higher rating because it does not support TLS 1.2, that only became available in Windows 2008 R2 which is a separate product not a free upgrade.  At some point, we will need to upgrade but probably will go to Windows 2012 R2 or the not-yet-released Windows 2016.

Next Post

The next post in the series will be on installing Let’s Encrypt certificates on EZproxy on CentOS 6.