Category: Tips & Tricks

This guide explains how to enable a FREE SSL certificate using Let’s Encrypt on a Windows Server running IIS. Specifically, it addresses the challenges of using wildcard certificates for multiple websites with different domains and subdomains.

Scenario:

You have a Windows Server 2019 with IIS 10, a single IP address, and multiple HTTPS websites hosted with different domain names. For subdomains under the same primary domain (like *.example.com), a wildcard certificate works perfectly. However, complications arise when adding websites from different domains, such as mydomain.com.

Initial Setup Example:

IIS 10 hosts the following sites:

• ABC Server (Website)
  • abc.api.example.com – HTTPS @ 443
• ABC Client (Website)
  • abc.example.com – HTTPS @ 443
  • bcd.example.com – HTTPS @ 443
  • cde.example.com – HTTPS @ 443
  • admin.example.com – HTTPS @ 443
• XYZ App (Website)
  • xyz.example.com – HTTPS @ 443
• SEQ (Website)
  • seq.mydomain.com – HTTPS @ 443

Managing these SSL certificates with multiple domain names can be tricky, but Let’s Encrypt simplifies the process.

Steps to Enable Let’s Encrypt SSL on IIS

• Enable IIS and Create the .well-known Folder
  • Follow this guide to create the .well-known directory for SSL validation
    • Create a folder on the C drive named well-known. Inside, create another folder called pki-validation. Example: C:\well-known\pki-validation.
    • Place the required validation file in the pki-validation folder.
    • Open IIS Manager and for each site, right-click and select Add Virtual Directory.
    • In the Alias field, enter .well-known. In the Physical Path field, enter the path to the folder you created, e.g., C:\well-known\pki-validation.
    • Confirm with OK. The folder and files should now be accessible via the web.
• Set Proper Permissions for the C:\well-known\pki-validation Folder
  • Follow this IIS 403 Forbidden solution:
    • Right-click the .well-known folder and select Properties.
      
    • Navigate to the Security tab.
      
    • Click Edit and ensure IIS_IUSRS is listed. If not, click Add
      
    • In the Enter the object names box, type IIS_IUSRS and click OK.
    • Set Read & execute, List folder contents, and Read permissions for IIS_IUSRS.
• Validate DNS Entries for Each Domain/Subdomain
  • Use a tool like Google Dig to validate DNS entries for the following domains:
    • abc.api.example.com
    • abc.example.com
    • bcd.example.com
    • cde.example.com
    • admim.example.com
    • xyz.example.com
    • seq.mydomain.com
• Download and Install win-acme
  • Download win-acme from https://www.win-acme.com.
  • After downloading, unblock the files and extract them to C:\win-acme.
• Run win-acme to Generate SSL Certificates
  • Navigate to C:\win-acme and run win-acme.exe as Administrator.
  • Follow the prompts to select the appropriate site for which you want to generate the SSL certificate.
  • Once complete, your sites will be secured with Let’s Encrypt SSL certificates.

By following these steps, you can manage multiple websites with different domains and subdomains on a single IIS server with Let’s Encrypt SSL certificates, solving the issues typically associated with wildcard certificates for different domains.

Other Resources

• Let's encrypt Windows Client: How to Install Let’s Encrypt Free SSL Certificates on Windows Server
• https://github.com/win-acme/win-acme
• win-acme – IIS Bindings
• certbot – Windows installation procedure
• How to Install Free SSL Certificates for Windows Server 2022 IIS