Knowledgebase
SSL/TLS for Adams Web
Posted by Diane Hancock on 13 April 2016 05:05 PM

Setting up SSL/TLS for Adams Web

These steps apply to IIS 7 - 8.5.

Create a DNS Entry

Create a DNS entry for the Adams Web server public IP.  This is the host name.  For example customname.agency.gov.

Open Port 80

In IIS, create a binding for port 80 and the host name from the DNS entry.

  1. Select the Default Web Site node
  2. Select Bindings... in the Actions pane
  3. Select Add
    1. Type: http
    2. IP Address: All Unassigned
    3. Port: 80
    4. Host name: name from the DNS entry
    5. Select OK
  4. Select Close
  5. Select Restart in the Actions pane

In the firewall, open port 80 to all IPs. 

These are needed to get the original certificate and for it to be renewed.

Setup a Certificate

Get a certificate from Let's Encrypt using LetsEnrypt-win-simple.  LetsEncrypt-win-simple is a free program that creates a certificate that expires every 90 days, configures IIS with the certificate and set up a task to automatically renew the certificate every 60 days.

  1. Download win-acme for Let's Encrypt
  2. Unzip to c:\inetpub\win-acme
  3. Open a command prompt window running as administrator (i.e. right click on command prompt and choose "Run as administrator")
  4. Open a command prompt as the actual "administrator" user account (see Note below as to why)
  5. runas /user:<MACHINENAME>\administrator cmd.exe
  6. Enter administrator's password
  7. Change to the win-acme folder
  8. Run letsencrypt.exe without any command line arguments
  9. Type 'N' to create a new certificate and press enter
  10. Type '1' for Single binding of an IIS site and press enter
  11. Under "Which kind of certificate would you like to create?", the host name should appear as one of the options.  If it does not, then perhaps the IIS binding for port 80 does not have a host name.  Don't proceed until this is resolved.
  12. Enter the number for the host name option and press enter
  13. Enter the email address you want to receive failure notices at and press enter.
  14. Enter 'y' to agree
  15. If successful, you should see messages like "Requesting Certificate", "Adding Certificate", "Adding new https Binding"

At this point, the certificate should be in the server's certificate store, an IIS binding for port 443 using the certificate and the host name should have been created and a task should be scheduled to renew the certificate.  If any of these are missing, then the subsequent renewals will not work.

Note: win-acme puts the files related to the certificate under AppData\Roaming\ for the account letsencrypt.exe is run as.

Ex: C:\Users\Administrator\AppData\Roaming\win-acme

Running it again later under a different account will create a separate, conflicting, certificate. This may cause the certificate to not renew. The fix is to remove the certificate from IIS Manager->Server->Server Certificates and then start over.

Configure Adams Web

In IIS:

Require SSL on Adams Web as follows:

  1. Select AdamsWeb Under Default Web Site
  2. Double click on IIS > SSL Settings
  3. Check the "Require SSL" box
  4. Leave Client certificates set to Ignore
  5. Select Apply in the Actions pane

Redirect http traffic for Adams Web to https.

Note, LetsEncrypt-win-simple should have created a binding for port 443 using the certificate from the store and the applicable host name.  If not, then this needs to be resolved.

Select Restart on the Default Web Site.

Update Firewall Access

Remove the port 80 access from the firewall configuration.

Add port 443 access to the firewall configuration.

Verification

If everything is setup correctly, then from IE, trying to access Adams Web using http should fail and accessing Adams Web using https should work without certificate errors. 

To test the renewal process, from a command prompt run as administrator, in the LetsEncrypt-win-simple directory, type:

letsencrypt.exe --renew

Comments (0)