Just looking for some recommendations on good solutions for security certificates. Been needing to add one for a client and they may finally be interested. Just looking for what might an easy solution to implement.

I think Let's Encrypt is your best choice here. The only "downside" is that they need to be auto-renewed every 90 days, which is easily scriptable with a cron job.

Like Eric says.

You can create LetsEncrypt certificates in a few minutes and they can be set up automatically to renew using WinAcme. It's a simple command line tool that handles the entire process for you literally in a few minutes including:

• Creating the Certificate
• Installing it to IIS
• Binding it to one or more host names
• Setting up the renewal

Here's more info in the Web Connection Deployment White Paper:

Create free TLS certificates with LetsEncrypt and WinAcme

+++ Rick ---

Eric,

I'm sorry to the late reply. I've been quite busy, but I do appreciate the information you've provided. I'll be checking into it. Thanks, again.

Rick,

Thanks for your reply, also. Sorry to be tardy in my reply.

Rick, I have spent quite some time now, trying to update my website to use SSL. It's a 64-it Windows Server 2012 R2 machine with IIS version 8.5. I have installed WACS, and run it as administrator. I don't get any error messages, as far as I can see everything looks normal. But, still "not secure".... Any tips?

I use "Certify the Web" https://certifytheweb.com/ it's powered by Let's Encrypt . "The app is free for a limited number of managed certificates per server." I don't remember exactly how much are free, but everything is done is a few seconds and renewal is automatic

Thank you for the suggestion. I installed it and ran it. The program reported "success", but still no https... Any more suggestions?

Yeah CertifyTheWeb is great, but it's overkill for what most people need. It's great for bigger orgs that need to organize many certificates. Most people though can do just as well with the command line version of Win-Acme which is free and just as simple albeit without the GUI. Pick your site set a couple of options and the certificate is created and installed in IIS and the renewals are scheduled.

I manage 15 sites on my server with this and after initial setup it all happens automatically.

+++ Rick ---

Tore, I never had any problem with a new config of a site but I remember some issues with the first use . I think it was because of previous manual config tentative of another certificate (But I don't remember exactly )

I just tried Win-Acme once more, but now I receive error 443: not updated because it doesn't seem to match the new certificate! I'm out ideas. However, I will have my son look into it tonight.

It sounds like you may have previously had Acme installed and there may be some residual certificates or configuration perhaps?

If possible I would remove all old certificates from IIS in the IIS administration tool, then try again. If there's old configuration through Lets Encrypt, perhaps from Certify or an old version pre-WinAcme you might have to clear the local Acme store (you can look at the Acme troubleshooting section on the Web site).

+++ Rick ---

Well, I guess I should have known better than trying to install this during business hours! I did the Let's Encrypt thing and it has hosed my site and I see no way in their menu to uninstall the certificate. I guess they just thought there'd never been any problems. Also, will a WWWC site just automatically work with HTTPS? Or do I need to enable/change something? I'm still on 5.43. Really need to upgrade. And will it work in interactive mode as well as COM mode? Because I've set up COM mode servers before and run them successfully, but my current server was not cooperating, so I run in interactive mode. Help. I need to get my site back up.

Ok, I found out what the problem was. The HTTPD.EXE file (Apache Hypertext Transfer Protocol Server daemon) was listening on port 443 (found using "netstat -o -n -a | findstr 0.0:443" from the Command Prompt) and that caused the web site to not start in IIS. Symantec Endpoint Protection was using that and had it running in spite of the fact that I have uninstalled that product in favor of another one. However, it seems remnants are still lurking, so I'm going to use their CleanWipe tool to try to fully eradicate their software. I killed the process and the web site started and began responding.

Bonus: I was wondering how to force a redirect from HTTP to HTTPS and located this page: https://aboutssl.org/iis-redirection-http-to-https/

What it told me to do was not working because earlier I'd chosen Require SSL in the SSL Settings applet in IIS, so it wouldn't allow HTTP at all (to then be redirected to HTTPS). Removed that requirement and it worked fine. Probably old hat to many of you, but I've not messed with HTTPS much.

https is a core transmit protocol so it 'just' works (or it doesn't if the cert is corrupted or bad). Web Connection doesn't require anything to make https work.

LetsEncrypt is the way to do this - once set up it just works to renew certificates. It's a good idea to every once in a while update the WinAcme software just to make sure to capture changes in the underlying LetsEncrypt protocols with minimal effort. Wait too long and renewals may not work at some point due to protocol changes at the Cert Authority.

Https re-direction: You can use a IIS Rewrite rule in web.config for that (you need to install the IIS Rewrite module for this to work):

  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Redirect to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>

Install via Chocolatey:

choco install urlrewrite -y

or install from the IIS Platform Installer.

+++ Rick ---

Anyone run into this issue when using Let's Encrypt?: "the revocation function was unable to check revocation for the certificate"

This occurs when the user of the hosted web site does something that generates an email. We are using their outlook.com account and it seems MS wants to check the certificate before sending the email, but can't check whether it's been revoked or not.

Research indicates I can use OCSP Stapling on the server to solve this problem and I've tried to set that up, but that did not help (it could be a setup problem with that technology, of course). But this is an arcane area for me and the other research I've done is not yielding much in the way of help. Would appreciate some help, if you're familiar with this problem.

I think this is unrelated to email, but means that the certificate validation can't create or access the folders needed to create the LE certificates.

If you're using IIS on Windows with the ACME tools, it'll create a folder structure under the root as .well-known to act as a callback and the files in there have to be accessible over the open internet connection for the Lets Encrypt servers to be able to call back. Depending on what kind of application you're running that may not work (for example, old ASP.NET MVC apps didn't used to work due to the way requests were routed).

The domain has to be publicly available on the Internet and those URLs for validation have to be accessible.

The emailing is just an adjunct to when the certificate assignment fails.

Best thing to do is probably to do a manual certificate update and see the errors that are generated in real time and also check to see what happens with the .well-known folder and files within it.

+++ Rick ---

Thanks. I see no .well-known folder, but the certificate seems to be working just fine, other than the given problem with email. (And, just out of curiosity, what did you use to format that .well-known text - I was unclear what to pick, though it's not a real big deal for this message.)

Also, I did the renewals using WACS.EXE and got this:

Plugin IIS generated source xxxxxxx.com with 2 identifiers Plugin Single created 1 order Renewal [IIS] xxxxxxx.com, (any host) is due after 2023/10/17

Plugin IIS generated source xxxxxxx.net with 2 identifiers Plugin Single created 1 order Renewal [IIS] xxxxxxx.net, (any host) is due after 2023/11/23

I'm masking the website names. I'm not totally sure why. In the day of hackers backed by AI, I guess I just want to be cautious.

In theory you shouldn't see the .well-known folder - WACS creates and the deletes those folders when the validation is complete. But it has to work. I think these days WACS maps a new virtual and then explicitly copies a web.config into it to ensure that the requests can work so this should not be a problem - used to be though. I had problems with old ASP.NET MVC applications and had to provide custom routing in the app.

As to the inline code in Markdown text:

this is some txt with a `inline code` embedded

this is some txt with a inline code embedded

It's no in the markdown menu in the editor - the code button is for code blocks - but you can manually type the back ticks for inline code.

+++ Rick ---