win-acme Let’s Encrypt IIS
▌Introduction
[Lets
Encrypt] Apply a free SSL cert to IIS is okay and easy.
For
example, we will learn how to use win-acme to create the certificate and a renew scheduled task for
the Application on IIS.
▌Environment
▋Windows Server 2016
▋IIS 10
▌Steps
▋Download win-acme
Put the
extracted files to %programfiles%\win-acme.
▋Creating new certificate
Run wacs.exe
in “Run as Administrator” mode and following the steps.
PS.
Notice that if we had already imported SSL certificate before, we will have to use
“Create new certificate” option.
1. Choose 【Create new
certificate (simple for IIS)】 or 【Create new certificate (full options)】
We will use 【Create new certificate (full options)】to see more options in the steps.
We will use 【Create new certificate (full options)】to see more options in the steps.
2. Choose from where to scan the domain name,
3. Choose what site(s) to scan the domain name, or leave
empty for scanning all of them.
For example, when I scan all of the sites, it shows the domain name and ports:
And now we can pick one of the bindings or all bindings like the last question above.
For example, when I scan all of the sites, it shows the domain name and ports:
And now we can pick one of the bindings or all bindings like the last question above.
4. win-acme shows the domain name as the result and ask us for a
naming-pattern for the certificate file.
5. Choose a way to verify that we are the owner of the domain
name.
For example, we can save the verification files on a specified path (They will be removed after verified.)
For example, we can save the verification files on a specified path (They will be removed after verified.)
6. Select RSA for creating Certificate Signing Request.
7. Choose where to store the certificate? (Multi-choice)
8. Choose one or more steps to update certificate to the
sites(applications).
PS. Notice that only using “3. Windows Certificate Store” to update the sites as following.
For example, select 1. will create (if not exist) the 443 port on the site(s) and bind the new certificate to 443 and original Https port.
PS. Notice that only using “3. Windows Certificate Store” to update the sites as following.
For example, select 1. will create (if not exist) the 443 port on the site(s) and bind the new certificate to 443 and original Https port.
9. The last questions will ask for the email address and
Terms-of-service agreement.
10. Everything is done, win-acme will run the scripts based on the options.
If you encounter the error like below:
“Error: Cannot commit configuration changes because the file has changed on disk”, restart the site or IIS and retry again!
If you encounter the error like below:
“Error: Cannot commit configuration changes because the file has changed on disk”, restart the site or IIS and retry again!
▋Result
Base on the options we choose to store on
·
IIS Central
Certificate Store
·
Windows
Certificate Store
We can find the certificate in:
The
specified directory
「Certificate - Local Computer」>>「Web Hosting」>>「Certificates」:
▋Renew schedule or renew manually
▋Renew scheduled
task
The creating-certificate progress will also setup a scheduled task on Windows’s Task Scheduler.
The scheduled
task’s and when-to-renew settings are from settings_default.json which
is at root path of win-acme.
▋Renew manually
1. Open the command line in “Run as Administrator” mode and start win-acme with the argument: --force:
$ wacs.exe --force
2. Choose【Manage renewals】
3. Select 【Run *all*
renewals】
This will force renewing the certificate.
This will force renewing the certificate.
▋Show Renew
history
【Manage renewals】>> 【Show details for *all* renewals】
▌Reference
沒有留言:
張貼留言