Windows Server

Installing a Free Let’s Encrypt TLS/SSL Certificate on IIS Web Server / RDS

By June 10, 2020No Comments

In this post, we will show you how to install and bind a free TLS/SSL Let’s Encrypt certificate for a site on the IIS web server running on Windows Server 2019/2016/2012 R2.

Let’s Encrypt and ACME Clients for Windows

A TLS/SSL certificate of a website allows to protect user data transferred over the public network against man-in-the-middle (MITM) attacks and provide data integrity. Nonprofit certification center Let’s Encrypt allows you to automatically issue free X.509 encryption TLS certificates for HTTPS encryption using the API. Only certificates for domain validation that expire in 90 days are issued (there is a limit of 50 certificates for one domain per week). But you can automatically renew the SSL certificate for your website using simple scheduling.

The Let’s Encrypt API interface to automatically issue the certificates is called Automated Certificate Management Environment (ACME) API. There are 3 most popular ACME API client implementations for Windows systems:

  1. Windows ACME Simple (WACS) is the command prompt tool for the interactive issue an SSL certificate and bind it to a specific site on your IIS web server;
  2. Powershell ACMESharp module – is the PowerShell library with a number of cmdlets to interact with Let’s Encrypt servers over ACME API;
  3. Certify is a Windows graphics tool to manage SSL certificates interactively using ACME API.

WACS Clint to Install Let’s Encrypt TLS Certificate in IIS on Windows Server

The easiest way to get an SSL certificate from Let’s Encrypt is to use the console tool Windows ACME Simple (WACS) (previously this project called LetsEncrypt-Win-Simple). It is a simple wizard that allows you to select one of the websites running on the IIS, automatically issue and bind an SSL certificate to it.

Suppose, you have an IIS website running on Windows Server 2016. Your task is to switch the website to an HTTPS mode by installing a free SSL certificate from Let’s Encrypt.

Download the latest release of the WACS client from the GitHub https://github.com/PKISharp/win-acme/releases (in my case, this is version v2.0.10 – the file name is win-acme.v2.0.10.444.zip).

Windows ACME Simple (WACS) LetsEncrypt clicent download from github

Extract the zip archive to the following directory on the server where IIS is installed: c:\inetpub\letsencryptYou must install the .NET Framework 4.7.2 or higher to use Win-Acme.

wacs.exe

Open the elevated command prompt, go to c:\inetpub\letsencrypt directory and run wacs.exe. This will launch an interactive Let’s Encrypt certificate generation and binding to IIS site wizard. To quickly create a new certificate, select N: – Create new certificates (simple for IIS).

simple acmev2 client - create new certificate for iis on windows server

Next, you need to select the certificate type. In our example, there is no need to use a certificate with aliases (multiple SAN – Subject Alternative Name), so just select an item 1. Single binding of an IIS site. If you need a Wildcard certificate, select the option 3.

Then the utility displays the list of websites running on IIS and prompts you to select a site to issue the certificate for.

select domain to issue ssl certificate

Specify your email address to which notifications about certificate renewing problems and other critical messages and abuses will be sent (you can specify multiple email addresses separated by commas). It remains to agree to the terms of use and Windows ACME Simple will connect to Let’s Encrypt servers and try to automatically generate a new SSL certificate for your website.

email for letsencrypt

The process of generating and installing SSL Let’s Encrypt certificate for IIS is fully automated.

By default, domain validation is performed in the http-01 validation (SelfHosting) mode. To do this, you must have a domain DNS record pointing to your web server. When running WACS in manual mode (full options), you can select the validation type – 4 [http-01] Create temporary application in IIS (recommended). In this case, a small application will be created on the IIS web server through which Let’s Encrypt servers will be able to perform domain validation.
Note – During the TLS/HTTP validation, your site must be accessible from the Internet by its full DNS name over HTTP (80/TCP) and HTTPS (443/TCP) protocols.

The WACS tool saves the private key of the certificate (*.pem), the certificate itself, and a number of other files in the C:\Users\%username%\AppData\Roaming\letsencrypt-win-simple. Then it will install the Let’s Encrypt SSL certificate generated in the background and bind it to your IIS site. If there is an SSL certificate installed on the site (for example, self-signed cert), it will be replaced with a new one.

In IIS Manager, open the Site Binding settings for your website and verify that it uses the certificate issued by Let’s Encrypt Authority X3.

certificate properties Let’s Encrypt Authority X3

This certificate will appear as trusted on your computer if you have updated Windows Trusted Root Certification Authorities.

You can find the Let’s Encrypt IIS certificate in the computer certificate store under Web Hosting -> Certificates.

Web Hosting -> IIS Certificates authorities with Let’s Encrypt

Windows ACME Simple creates a new job in the Windows Task Scheduler (win-acme-renew (acme-v02.api.letsencrypt.org)) to automatically renew the certificate. The task starts every day, and the renewal of the certificate is performed after 60 days. This task runs the command:

C:\inetpub\letsencrypt\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org"

You can use the same command to manually update Let’s Encrypt certificate.

task in sheduler to renew Let’s Encrypt certificate - win-acme-renew

Redirect from HTTP to HTTPS Using the IIS URL Rewrite

To redirect all incoming HTTP traffic to the HTTPS website URL, install the Microsoft URL Rewrite Module (https://www.iis.net/downloads/microsoft/url-rewrite), and make sure that the option Require SSL is disabled in the site settings. Now configure the redirect in web.config with rewrite rules:

<system.webServer>
<rewrite>
<rules>
<rule name=”HTTP to HTTPS Redirect” enabled=”true” stopProcessing=”true”>
<match url=”(.*)” />
<conditions>
<add input=”{HTTPS}” pattern=”off” ignoreCase=”true” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” appendQueryString=”true” redirectType=”Permanent” />
</rule>
</rules>
</rewrite>
</system.webServer>

You can also configure traffic redirect using the URL Rewrite extension through the IIS Manager GUI. Select Sites -> yoursitename -> URL Rewrite.

iis URL Rewrite module

Create a new rule Add Rule -> Blank rule.

Specify a rule name and change the following parameter values:

  • Requested URL: Matches the Pattern
  • Using: Regular Expressions
  • Pattern: (.*)
URL-Rewrite edit inbound rule

In the Conditions section, change the Logical Grouping: Match All and click Add. Specify the following settings:

  • Condition input: {HTTPS}
  • Check if input string: Matches the Pattern
  • Pattern: ^OFF$
url rewrite add conditions

Now in the Action block select:

  • Action Type: Redirect
  • Redirect URL: https://{HTTP_HOST}/{R:1}
  • Redirect type: Permanent (301)

Open a browser and try to open your site with an HTTP address; you should be automatically redirected to the HTTPS URL.

Using Let’s Encrypt Certificates with RDS Gateway & Web Access

If you use RDS Gateway or RDS Web Access to connect external users to the corporate network, you can use the trusted SSL certificate from Let’s Encrypt instead of the self-signed certificate. Consider how to correctly install the Let’s Encrypt certificate to secure Remote Desktop Services on Windows Server. If the RDSH role is also installed on the Remote Desktop Gateway server, you must prevent non-admin users from accessing the directory in which the WACS files (in my example, c:\inetpub\letsencrypt) and the Let’s encrypt certificate and keys (C:\ProgramData\win-acme) are stored.

Then, run wacs.exe on the RD Gateway server, as described above. Select the desired IIS site (usually it is the Default Web Site. Let’s Encrypt will issue you a new certificate and bind it to the IIS website, and the automatic certificate renewal task will appear in the Task Scheduler.

You can manually export this certificate and bind it to the required RDS services through the SSL binding. But you will have to perform these steps manually every 60 days when the Let’s Encrypt certificate is renewed.

We can use the PowerShell script to automatically bind SSL certificate to the RDS Gateway after updating the Let’s Encrypt certificate.

There is a ready PowerShell script in the win-acme project – ImportRDGateway.ps1 (https://github.com/PKISharp/win-acme/tree/master/dist/Scripts), which allows you to install the selected SSL certificate for Remote Desktop Services. The main drawback of this script is that you have to manually specify the thumbprint of the new certificate:

ImportRDGateway.ps1 <certThumbprint>

To automatically get the certificate thumbprint from the specified IIS site, use the modified script ImportRDGateway_Cert_From_IIS.ps1 (based on the ImportRDGateway.ps1).

You can run this script manually:

powershell -File ImportRDGateway_Cert_From_IIS.ps1

If your RDS Gateway runs on the IIS “Default Web Site” with index 0, you can use the script without changes.To get the site ID on IIS, open the PowerShell console and run:

Import-Module WebAdministration
Get-ChildItem IIS:Sites|ft -AutoSize

The ID column shows the index of your site, subtract one from it. The resulting index should be specified instead of 0 in line 27 of the PowerShell script:

$NewCertThumbprint = (Get-ChildItem IIS:SSLBindings)[0].Thumbprint
change rds gateway site index in powershell script

Now open the win-acme-renew scheduler task, and on the Actions tab add a new task that runs the ImportRDGateway_Cert_From_IIS.ps1 script after updating the SSL certificate.

In order not to change the PowerShell execution policy, you can run the script with the command:

PowerShell.exe -ExecutionPolicy Bypass -File c:\inetpub\letsencrypt\ImportRDGateway_Cert_From_IIS.ps1

win-acme-renew - renew cert task and update RDS SSL binding

Now the script for binding the SSL certificate to the RDS will be executed immediately after the Let’s Encrypt certificate is renewed. In this case, the RD Gateway service is automatically restarted with the command:

Restart-Service TSGateway

[aler] When the TSGateway service restarts, all current user sessions are disconnected, so it is recommended to change the frequency of launching the certificate renewal task once every 60 days.[/alert]

Leave a Reply