Using Let's Encrypt SSL Certificates in Internet Information Services (IIS)

Page update date :
Page creation date :

environment

Windows Server
  • Windows Server 2019
Internet Information Services
  • 10.0
win-acme
  • v2.1.16.1

* It works with other versions, but it is unconfirmed.

About Let's Encrypt

In order to encrypt communication between servers, if there are two types of communication between the client and the server, encryption itself can be performed, but it is not possible to prove whether the other server is correct or not.

One way to solve this problem is to use an SSL certificate obtained from a third-party certificate authority to prove that the other server is correct, but there are almost always periodic costs associated with using a certificate authority.

You can obtain SSL certificates for free by using Let's Encrypt, a certificate authority supported by many sponsors. This time, we will obtain an SSL certificate from Let's Encrypt, apply it to the site running on IIS, and configure it to allow HTTPS communication.

The following link is the official homepage (Japanese).

precondition

  • windows server is set up
  • you have set up internet information services (iis) and created a site
  • You have acquired a domain
  • The target server must be accessible from the domain
  • Ability to access websites over HTTP
  • Firewall settings must allow connections over HTTPS (443) ports

This Tips uses a site published by ASP.NET Core program, but it doesn't matter what medium the site is running on as long as you have an IIS site.

Get Win-ACME

SSL certificates always have an expiration date. Therefore, the SSL certificate must be renewed periodically.

To get an SSL certificate from Let's Encrypt on a regular basis, you can use a tool called win-acme to download it.

There are a lot of files you can download, but here we will download "win-acme.v2.1.16.1037.x64.trimmed.zip". Versions may change at different times. For arm64, x64, and x86, x64 is fine on Windows Server.

Extract the contents from the ZIP file and extract it to a folder of your choice on Windows Server. The tool is only used for setup, so it can be anywhere. Please place it in a place where the program can be executed.

Configuring IIS

Preconfiguration is required on the IIS side before using win-acme.

After opening IIS Manager, select the sites that you want to access over HTTPS, and then click Bind in the right menu.

Select port 80 and click the Edit button.

Enter the obtained domain name in the host name. If you want to access only subdomains, you can enter subdomains.

Running Win-ACME

Win-acme may change the selection depending on the version, so if you are using a different version, please understand the difference.

Start "wacs.exe" with "administrator privileges" from the extracted file.

Since it is a new creation, enter "N".

A list of site names is displayed, so enter the number of the target site.

Unless there are special circumstances, "A" is fine.

Enter "y" to confirm.

"Terms of service" is in the following folder, so enter "y" to read it. However, Windows Server doesn't have a standard PDF app, so it's better to copy the PDF file from a folder and read it.

If you agree, enter y.

If you want to receive notifications such as problems with Let's Encrypt, enter your email address. There is no problem even if you do not put it in.

Setup will then start and complete if no errors are displayed. The screen is fine to close.

When you open Server Certificates from IIS, you can see that the certificate has been added.

Certificates are valid for 90 days.

You can verify that automatic certificate renewal is registered in Task Scheduler.

When you view the site bindings from IIS Manager, you can see that HTTPS bindings are automatically created.

After you verify that you can access the website, you can delete it if you don't need HTTP access.

confirmation

Verify that you can connect over HTTPS when accessed with a "https:// domain name" in an external web browser.

You can check the certificate by clicking the lock icon in the address bar.