Free SSL Certificates On IIS With LetsEncrypt

4.33 (6 votes)

If you have forms on your site that take a user's personal details, you should protect the page by running it under HTTPS. That way, any data that's posted from the form (email address, credit card number etc) is encrypted and hidden from prying eyes. It's not just e-commerce sites that should be protected. Intranets and other line of business apps that require authentication, blogs with comment forms that ask for email addresses and so on. The main barrier to this in the past has been the cost of the digital certificate (SSL Certificate) that asserts that you are who you say you are. LetsEncrypt is a free, automated, and open Certificate Authority that removes this barrier.

LetsEncrypt is operated by the Internet Security Research Group (ISRG), and is a Linux Foundation Collaborative Project, which is also responsible for the Linux operating system and Nodejs among other projects. LetsEncrypt is supported by a range of organisations including Mozilla, Chrome, Akamai and Facebook. The certificates that LetsEncrypt issues are recognised by all major browsers, which results in the familiar padlock symbol being displayed on properly secured sites:

Secured site

 

Obtaining a certificate

Full details of how LetsEncrypt works can be found on their site. Suffice to say, you need a client program running on your web server that implements the ACME (Automatic Certificate Management Environment) protocol so that it can successfully communicate with LetsEncrypt. A number of these are available. I chose to use letsencrypt-win-simple, which is a command line interface (CLI) client. Despite that, it really is very simple to use. The latest version is 1.9.1 at the time of writing. Here's a step-by-step guide to using letsencrypt-win-simple:

  1. Download and unzip the contents to a folder for later user. I chose C:\LetsEncrypt as a location.
  2. Open the folder, right click on the .exe file and choose Run as Administrator

    Run as administrator

  3. Following the onscreen prompts, first provide an email address for renewal failure notifications.
  4. Agree to the terms and conditions.
  5. The application then scans the site bindings in IIS and asks which one you want to get a certificate for.

    LetsEncrypt Win Simple

  6. Enter the number and press Return. Note, if you have more than 50 sites registered with IIS, the screen will paginate the list. In that case, it might be a good idea to make a note of the number of the entry you want to request a certificate for.

And that's pretty much it. The application takes care of obtaining the certificate and storing it. It will also create a scheduled task to request renewals as certificates expire. And it will add new bindings for the site if necessary, defaulting to port 443 for https.

Redirect non-https traffic

One thing that you may want to do is to ensure that all traffic goes to the https version of your site. If o uhave access to the server (which is the assumption in this article) you should install the IIS Rewrite Module if you haven't already done so, and then add the following to your web.config file:

<system.webServer>
  <rewrite>
    <rules>
      <rule name="HTTP Redirect to HTTPS" enabled="true" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
              <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

Summary

This article shows how easy it is to obtain free SSL certificates for your website from LetsEncrypt, using the letsencrypt-win-simple command line tool. A growing number of web hosting companies also support LetsEncrypt, which means that the days of expensive SSL certificates are likely to be numbered.

You might also like...

Date Posted:
Last Updated:
Posted by:
Total Views to date: 1402

4 Comments

- Ted Driver

This looks great is you have command line access to your web server - what about those of us on shared plans? Is there any way to get this tool to generate SSL certs for sites hosted on shared servers?

- Mike

@Ted,

No - the tool must run on the server where the site is hosted to be able to generate the verification file that proves that the domain is hosted there. A shared hosting provider is highly unlikely to allow you to run console apps on their servers. That's why I posted a link to the hosting companies who support LetsEncrypt and provide free SSL certificates.

Alternatively, you could write your own ACME client and incorporate it as part of your web application. Here are some starting points:

- Gfw

I have used WinSimple for about the last 9 months - works great. One thing that you want to make sure of is to allow the folder ".well-known" to be accessed by http (not https) or the renewals will fail. .well-known is created by WinSimple as the certificates are created or updated.

- Mike

@Gfw

Thanks for pointing that out. If you use Url Rewriting to force all users to go over to https, you need to add an extra rule in your web.config. It's covered in this issue: https://github.com/Lone-Coder/letsencrypt-win-simple/issues/103

Recent Comments

Gfw 03/02/2017 09:48
In response to Free SSL Certificates On IIS With LetsEncrypt
I have used WinSimple for about the last 9 months - works great. One thing that you want to make of...

Ted Driver 02/02/2017 13:24
In response to Free SSL Certificates On IIS With LetsEncrypt
This looks great is you have command line access to your web server - what about those of us on Is...

Carl T. 06/11/2016 05:43
In response to Server.MapPath Equivalent in ASP.NET Core
Very succinct and easy to follow. Worked perfectly the first time for me. Thanks!!...

Manoj Kulkarni 04/11/2016 05:47
In response to Entity Framework Core DbContext Updated
Great post....

Sivu 19/10/2016 08:21
In response to Entity Framework Core TrackGraph For Disconnected Data
Oh that's very very very nice ! Thanks for the write up Mike, much appreciated for the taking the to...

Mark 12/10/2016 16:42
In response to ASP.NET Web Pages vNext or Razor Pages
Although "Web Pages" was removed from the roadmap, has it just been renamed to "Razor Pages"?...

Satyabrata 12/10/2016 09:20
In response to Entity Framework Core TrackGraph For Disconnected Data
Nice article. Please write more articles featuring ASP.Net web pages. Thank you...

Julian 26/09/2016 14:27
In response to Loading ASP.NET Core MVC Views From A Database Or Other Location
Fantastic, many thanks Mike! Had got half way down this road before finding your article - saved...

Abolfazl Roshanzamir 14/09/2016 05:36
In response to Loading ASP.NET Core MVC Views From A Database Or Other Location
Nice article. Thanke you so much ....

cyrus 02/09/2016 15:12
In response to ASP.NET Web Pages vNext or Razor Pages
I've got some news. As Damian stated in this link: https://github.com/aspnet/Mvc/issues/5208 “We...