Today most of the websites are secured using SSL and its good for SEO. Normally we get SSL certificated from Certificate Authority (CA). So if we need to enable https for our website hosted on a Windows server we need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a certificate authority that provides free SSL certificates for our website names . More details about Let’s Encrypt can be get from their official website.
Let’s Encrypt uses the ACME protocol to verify that we control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll need to choose a piece of ACME client software to use. Another point about Lets Encrypt certificates is they set to expire after 90 days.
One of the Most popular ACME client used to issue SSL certificate from Lets Encrypt is Certbot client. This is only ACME clients recommended by Lets Encrypt. We can also try out other ACME clients available. No issues with that.
Let’s focus on how we can install SSL certificate for a website hosted on a windows server having IIS.
Make sure IIS is preinstalled in the server and already have a Live website created in through IIS and loading fine from the server. If not, lets Install IIS and create a website in it. In this article we use Windows server 2019. You can also refer this article if you had a Windows Server 2012 or 2016.
Install IIS in Windows Server 2019
Open server Manager >> Add Roles and features >> Click Next
Choose Role based or feature based installation.
Choose our server from the server pool
Choose IIS and confirm the features from the popup window
Leave feature, Web server role selection as the default one and click next.
Tick the restart the destination server automatically option from the confirmation window.
This completes the IIS install. Now lets create website through IIS
Crete Website In IIS
Open IIS manager >> Right click on Server Name and click “Add website” option
In the site name filed, give our website name. In this article, we gave our sample website name.
Choose the physical path as ” C:\inetpub\wwwroot”. You can also choose your desired directory for placing the website files. Normally it will be ” C:\inetpub\wwwroot”.
In the hostname filed give our website name again. In our case its “certbot.supporthost.in”
Leave other settings as it is and Click “Ok” button.
This concludes the creation of website through IIS Manager. Now we can test the working of the website by creating a test page at folder ” C:\inetpub\wwwroot” and Visit the url in the browser and make sure the test page is loading.
Now its the time for purchasing and Installing SSL for our website. So as we said earlier, there are different ACME clients available for issue Lets Encrypt SSL for our website.
Two methods we are discussing in this article. We only have to follow either of them.
- Using certbot ACME client for issuing SSL
- Using letsencrypt-win-simple ACME Client
Installation of certbot ACME client On Windows
Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe.
Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86)
This completes the certbot install. Now lets test it.
open Windows cmd and issue command “certbot –help”. The result will look like below.
Issue SSL Certificate Using Certbot
Stop IIS service from the IIS manager or through the Windows services section.
Issue Below command in Windows cmd
certbot certonly –standalone –register-unsafely-without-email
Agree the terms and conditions by typing A
enter our domain name
The certbot will issue the SSL and it will automatically saved to location C:\Certbot\live\certbot.supporthost.in\.
Currently, Certbot for Windows cannot automate the installation of this issue SSL in IIS. Future versions will be able to automate it for specific web-server applications. So we need to install this certificate manually through IIS manager. So start the IIS service again and lets import this SSL certificate to IIS.
For that we need to convert the PEM formated SSL certificate file into pfx one. PFX is the SSL file type supported by IIS.
We can either use online PEM to PFX converter tools or openssl commands like below.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
We are not discussing the convert steps and we assume that you have the PFX version SSL certificate on your hand and its ready to import through IIS.
Import & Install SSL in IIS.
Open IIS manager and under server, click on “server certificates” click import
Browse our file and leave other settings as it is.
Click ok. Now you will see the certificate is available in Server certificate section.
After that go to our sites section. Click on bindings.
choose type as “https”
In the hostname filed enter our domain name as “certbot.supporthost.in”
Choose our certificate from SSL certificate
tick requre server name indication
This concludes the SSL install. Verify the SSL working by browsing your website over https in the browser.
Now we can also try implement SSL using another ACME Client for Windows. Follow below steps for the second method. Other wise, it conclude the install of Lets Encrypt SSL in a Windows Server.
SSL Install Using letsencrypt-win-simple ACME Client
Download the letsencrypt-win-simple (A Simple ACME Client for Windows) from the below github repository.
- Once the IIS settings are done, start over the steps from beginning by executing the command letsencrypt.exe –san and at this point we haven’t got any error at the authorisation result section.
- The certificates got installed but I got a warning as below.
The HTTP binding is IP specific; the app can create it. However, if you have other HTTPS sites they will all get an invalid certificate error until you manually edit one of their HTTPS bindings. You need to edit the binding, turn off SNI, click OK, edit it again, enable SNI and click OK. That should fix the error. Otherwise, manually create the HTTPS binding and rerun the application. You can see https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/HTTPS-Binding-With-Specific-IP for more information.
- I acknowledged the same by typing “Y” and hit enter.
- I type “N” at the field “Do you want to specify the user the task will run as?” and hit enter.
- This would successfully completed the SSL install using Let’s Encrypt.
- Hit enter again to exit the app command line.
- Take a look at the below screenshot for the above steps.