LetsEncrypt on IIS
Here's what I needed to do to get the LetsEncrypt client working on IIS (8.5)
-
Manually create the well-known folder which is required for Lets-Encyrpt to validate your domain. Create this in the root of your site - e.g. C:\inetpub\wwwroot\.well-known
(apparently you should create the folder with a trailing '.', e.g. .well-known. – windows will then remove last period) -
Add web.config file to the .well-known folder with the following content, this ensures that the page is served correctly as static content and isn't run as a script, it also ensures that this particular folder isn't trying to use any form of Windows authentication :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<staticContent>
<mimeMap fileExtension=".*" mimeType="text/plain" />
<mimeMap fileExtension="." mimeType="text/plain" />
</staticContent>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
</handlers>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</configuration>
- Run [LetsEncrypt Windows client](https://github.com/Lone-Coder/letsencrypt-win-simple/releases) (my version is letsencrypt-win-simple.V1.9.6.1). When running I chose manual set up (item 4 on menu) and entered my domain name (so for here that would be www.chipshop.co) and directory path (c:\inetpub\wwwroot), the client should be able to validate your domain and issue your certificate.
- You will now need to sort out the bindings if you weren't using SSL before this - open IIS Manager, click on your site from the list and select **Bindings...** on the right. Add https on Port 443, if you only have one site leave the rest blank and click OK. Best to leave http/Port 80 running and use URL Redirect to redirect users to the SSL version.
- You will also need to choose the certificate that was created, I think this is done by clicking your server name in IIS Manager and going to Server Certificates.
- The certificate will last 3 months and the Let-Encrypt client should auto-renew, I'm not sure how automated this will be - on linux automated renewal works pretty seemlessly)