SSL/TLS for Adams Web
Posted by Diane Hancock on 13 April 2016 05:05 PM
Setting up SSL/TLS for Adams Web
These steps apply to IIS 7 - 8.5.
Create a DNS Entry
Create a DNS entry for the Adams Web server public IP. This is the host name. For example customname.agency.gov.
Open Port 80
In IIS, create a binding for port 80 and the host name from the DNS entry.
In the firewall, open port 80 to all IPs.
These are needed to get the original certificate and for it to be renewed.
Setup a Certificate
Get a certificate from Let's Encrypt using LetsEnrypt-win-simple. LetsEncrypt-win-simple is a free program that creates a certificate that expires every 90 days, configures IIS with the certificate and set up a task to automatically renew the certificate every 60 days.
At this point, the certificate should be in the server's certificate store, an IIS binding for port 443 using the certificate and the host name should have been created and a task should be scheduled to renew the certificate. If any of these are missing, then the subsequent renewals will not work.
Note: win-acme puts the files related to the certificate under AppData\Roaming\ for the account letsencrypt.exe is run as.
Running it again later under a different account will create a separate, conflicting, certificate. This may cause the certificate to not renew. The fix is to remove the certificate from IIS Manager->Server->Server Certificates and then start over.
Configure Adams Web
Require SSL on Adams Web as follows:
Redirect http traffic for Adams Web to https.
Note, LetsEncrypt-win-simple should have created a binding for port 443 using the certificate from the store and the applicable host name. If not, then this needs to be resolved.
Select Restart on the Default Web Site.
Update Firewall Access
Remove the port 80 access from the firewall configuration.
Add port 443 access to the firewall configuration.
If everything is setup correctly, then from IE, trying to access Adams Web using http should fail and accessing Adams Web using https should work without certificate errors.
To test the renewal process, from a command prompt run as administrator, in the LetsEncrypt-win-simple directory, type: