I have previously blogged about how you can get a free SSL certificate from the Certification Authority called WoSign, but they have been misbehaving lately (see details here) and some big companies like Apple, Google and Mozilla are actually considering removing the built-in trust to WoSign in their browsers.
So I decided it’s time to write a new post, this time using the Certification Authority Let’s Encrypt, which also makes it a lot less complicated. But still free!
So what is Let’s Encrypt?
It is a free, automated and open certificate provider. The organization behind Let’s Encrypt is called Internet Security Research Group (ISRG) and they have a lot of official sponsors. Here are a few of the more well-known, which shows that Let’s Encrypt is a serious player on the market and that they should be around for a long time:
Let’s Encrypt is already trusted by most browsers today. To achieve this already in the early stages, Let’s Encrypt’s intermediate Certificate Authorities have been cross-signed by IdenTrust. Eventually, when enough browsers trust Let’s Encrypt natively, they will stand on their own. Read more about the cross-signing here.
The certificate issuance is based on Domain Validation, which means that you have to prove your ownership of a domain name by creating a publicly accessible file under that domain name. You are then allowed to request a free SSL certificate for that domain name. The protocol used is called ACME (not the best name if you ask me, since it makes me think of the cartoon Road Runner).
The validity time of certificates from Let’s Encrypt is shorter, only 90 days instead of the usual 1-3 years for SSL certificates. Read why here. But since re-enrollment is automatic (and free) it should not be an issue.
There are currently over 8.6 million unexpired certificates issued by Let’s Encrypt. See more statistics here.
Update 2016-10-19: Today they reached 10 million!
Update 2017-06-28: They have now issued 100 million certificates (link).
Update 2017-10-20: Let’s Encrypt is the largest issuing CA in the Alexa Top 1 Million!
In this blogpost I chose to go the ACME client letsencrypt-win-simple. It is limited to IIS but is very simple to use. There are many different clients for different operating systems, web servers and languages that you can choose from.
Note that the certificate will have the Enhanced Key Usage Server Authentication and Client Authentication, which means that it also can be used for other things than just web servers, such as VPN servers, email servers etc.
First the basic setup. I installed a Windows Server 2016 (as an Azure VM, but that is not really relevant here).
I installed the role Web Server (IIS), no other roles or features are needed.
I created a new Web Site called certdemo that points to the folder C:\certdemo:
I configured the site binding to use the host name certdemo.tomdemo.se and the port 80. The tool I am using will scan IIS for bindings based on host names, so you need to make sure that web sites you want to enroll certificates for has host name configured:
If I browse that URL I can access the site over HTTP:
But if I try to access it over HTTPS it fails, which is expected since no binding or certificate for this exists:
Next, I downloaded the zip-file containing the letsencrypt-win-simple files. The latest version at the time of writing this blogpost was v1.9.1 and is about 4 Mb:
Extract the files from the zip archive. Do not use a temp folder that might be deleted or that is hard to find. The application will be regularly run from that folder going forward (for the automatic re-enrollments). I chose C:\letsencrypt-win-simple:
Note the file letsencrypt.exe.config here, it will be referenced later in this post. It contains some setting that you might want to modify before running the tool. You can search for that file name in this post to find them.
Run letsencrypt.exe as administrator:
Enter an email address that will be used to send notifications if renewal will fail. I have not received ANY unrelated emails or spam to that address:
Agree to the Subscriber Agreement by typing Y (after reading it thoroughly of course):
Now a configuration file and a secret key is created. These will be used for certificate requests going forward. The files are stored in the following location:
Note: This location can be modified by editing the setting CertificatePath in the file letsencrypt.exe.config before running the tool.
Now I type A to get certificates for all hosts (which in my case is only one):
Below you can see the Domain Validation actually being performed for you automatically:
- It receives a Challenge Type http-01
- It writes the challenge answer in a file in a new subfolder called \.well-known\acme-challenge
- It configures IIS to allow that folder to serve files without file extensions
- It submits the answer
- When the challange answer is validated by Let’s Encrypt it deletes all the files related to this validation:
Note: You can disable the deletion of these temporary authorization files and folders by editing the setting CleanupFolders in the file letsencrypt.exe.config before running the tool.
Now the client performs the following steps:
- It creates a certificate request (the private key is created locally and never leaves your computer)
- It saves the signed certificate
- It saves the certificate of the issuing CA (needs to be installed on the IIS)
- It adds the certificate to the computer’s WebHosting certificate store (can be modified, see later in this post)
- It adds HTTPS binding on the web site, using the new certificate
- It creates a Scheduled Task that will run once a day to see if the certificate is older than 60 days
Note: You can modify how many days after issuance renewal shall occur by editing the setting RenewalDays in the file letsencrypt.exe.config before running the tool. Leaving it at 60 gives you 30 days to troubleshoot before the 90 days are up.
Now it asks for credentials for the scheduled task to run with. Use an account that has NTFS write permission on the web sites root directory, since it will need to perform a challenge/response on every renewal:
After it has configured the Scheduled Task, I pressed enter and the command prompt closed:
Now we are done.
The result? Going back to the HTTPS version of my web site (that failed before) you can see that it now works, without warnings of any kind:
That’s not too bad, considering it didn’t take long, it will be automatically renewed and did not cost me a single penny.
Behind the scenes
Ok, let’s look at the changes this tool made to the server.
You can see the installed certificate in the Web Hosting certificate store. The Web Hosting certificate store was introduced in IIS on Windows Server 2012 and is similar to the Personal store, but it was designed to support a much higher number of SSL certificates without a noticeable impact on the performance of the server, since certificates here are only loaded into memory on demand.
Note: You can modify in which container the certificate should go into by editing the setting CertificateStore in the file letsencrypt.exe.config before running the tool. You can also manually move/copy the certificate to other certificate stores after it is created.
By double-clicking the certificate you can see that the certificate has a validity time of 90 days:
In IIS Manager you can see the new binding using the default post 443:
and verify that the new certificate is configured:
You can see the created Scheduled Task
and its corresponding action:
You can also see all the files that were created during enrollment:
Note that the certificate (including its private key) is available here. The .pfx version can be imported on any machine you chose. By default, there is no password set on the .pfx (just leave the password field empty when importing). You can set a password to be used for the pfx file by editing the setting PFXPassword in the file letsencrypt.exe.config before running the tool.
I hope you found this primer on Let’s Encrypt together with IIS useful.
Please test this before performing this in production environments, especially if you use a non-English version of the OS, have multiple web sites and/or use non-default ports.
Let me know if you have any questions.