by Mike Robinson
Professor & Head of Systems
University of Alaska Anchorage
This recipe is part of a series about my experiences moving our library servers and services to Let’s Encrypt for TSL/HTTPS certificates. This recipe will be describing how I installed certificates from Let’s Encrypt on a Windows 2008 IIS Web server that hosts two web applications.
- A Web interface to an Inmagic database for Arctic Health Literature.
- A search engine powered by DTSearch for the Arctic Health website.
These web applications provide content which is embedded into an external website called Arctic Health which recently moved to HTTPS. Thus the web applications need to move to HTTPS to avoid insecure-content warnings or blocks.
Let’s Encrypt provides both certificates and certbot, a client that makes installing and renewing the certificates as painless as possible for a number of Web servers and operating systems. Unfortunately, certbot is not available for Windows so we will have to use one of the many many alternative clients. I selected lets-encrypt-winsimple which does not have as many options as some other clients but is straight forward to use. If you have a complex IIS server configuration you may want to select a different client.
Get the Client Application
Lets-encrypt-winsimple requires that you have .net framework 4.5 installed. Our web applications are old and use .net frameworks 2.0. Luckily you can run multiple versions of .net on the same server without issues. Lets-encrypt-winsimple scans your IIS server for binds to determine the domain name. We don’t have a bind for the domain name so we will need to create one.
- Download and install .net framework 4.5.
Go to https://www.microsoft.com/en-us/download/details.aspx?id=30653 Choose the Download button Choose the Run button Make a cup of coffee
- Add bind for default website in IIS for http to hostname web2.uaa.alaska.edu.
Under Administrative Tools, choose IIS Manager console Open Internet Information Services (IIS) Manager In the Connections pane, right click on the Default Web Site Choose Edit Bindings Note: there is already a default binding (http 80 *) that we will leave in place so that access to the server via IP address will still work. Choose Add and create an additional binding Type:http Port:80 IP address:All Unassigned Host name: web2.uaa.alaska.edu
- Download the lets-encrypt-winsimple client
Download command line client letsencrypt-win-simple.v1.9.0 Go to https://github.com/Lone-Coder/letsencrypt-win-simple Choose Clone or Download button Choose Download Zip Unzip the downloaded letsencrypt-win-simple.v1.9.0.zip Move the letsencrypt-win-simple.v1.9.0 folder to where you want it to live In my case I am putting it into the current user folder C:\Users\Admin.
Lets-encrypt-winsimple is a ACME client built in .net that performs a several tasks:
- scans IIS bindings for host names;
- connects to the Let’s Encrypt certificate authority to request certificates;
- imports the certificate files into the Windows certificate store;
- creates or update an https binding in IIS;
- creates a task in Windows Task Schedule that will run each morning and update the certificates automatically every 60 days.
The client is a command line interface and there are a number of available options.
- Run the lets-encrypt-winsimple client to install certificates for the domain names defined in IIS (in this case only one, web2.uaa.alaska.edu).
Open a command prompt as administrator C:\Users\Admin> cd letsencrypt-win-simple v1.9.0 C:\Users\Admin\letsencrypt-win-simple.v1.9.0> letsencrypt.exe
Email address? I put in my email address Agree to Let's Encrypt terms of registration? Y Which hosts do you want to get certificates for? A for all hosts Install certificates in Windows Certificate store? Y Add certificates to server software? Y Schedule automatic renewals? Y Specify user? Y Username? admin Password? wouldn't you like to know
That’s it, our Web server is now using free HTTPS certificates issued by Let’s Encrypt. It imported the certificates into the Windows certificate store and created a binding in IIS for https port 443 for host web2.uaa.alaska.edu.
We can now tell the folks managing the Arctic Health website to start using https://web2.uaa.alaks.edu instead of http://220.127.116.11 for embedded content.
Note: When I first ran the ssllabs test, the grade was an F because of the default settings for protocols and ciphers in IIS on Windows 2008. I used a free, easy-to-use tool called IIS Crypto to tighten things up to a C rating. Windows 2008 can not get a higher rating because it does not support TLS 1.2, that only became available in Windows 2008 R2 which is a separate product not a free upgrade. At some point, we will need to upgrade but probably will go to Windows 2012 R2 or the not-yet-released Windows 2016.
The next recipe in the series will be on installing Let’s Encrypt certificates on EZproxy on CentOS 6.