How to use Let’s encrypt with IIS

Let’s encrypt is a service to get SSL Certificates for websites for free. It’s supported by organisations / companies like Mozilla, Akamai, Electronic Frontier Foundation, Cisco and many more. Many hosting providers already implemented a simple method to request and automatically renew these SSL certificates for free. For the less important of my websites I used StartSSL for a long time without any problems. But since this month, Firefox does not trust SSL certificates from StartSSL anymore, see Distrusting New WoSign and StartCom Certificates on Mozilla Blog.

Using Let’s encrypt with IIS

Rick Strahl has a large article on his website about how to use Let’s encrypt with IIS. His proposal is to use Letsencrypt-win-simple which is available for free as open source project on Github. Usage is simple: Just download latest release, unzip and start the exe. It’s a command-line application. On first run you need to enter your email address. Then you’ll see all of your IIS websites and you could select the one you want to create a new SSL certificate for.

Website domain not shown in letsencrypt-win-simple

In my case, several websites are listed by letsencrypt-win-simple, but the important one is missing. In such a case, just open your IIS and check the site bindings for this website. In my case the hostname was empty. If you use the default IIS it’s not necessary to specify a hostname when using SSL because SSL is bound for the complete IP. It was not possible to use multiple SSL certificates for one single IP until SNI was added to IIS 8.0.

So I added the correct hostname and reran letsencrypt-win-simple. Now the website is shown in the selection list as expected. After choosing the website, everything else is running automatically and finally a new SSL binding has been added to my website.

Leave a Comment