Finally, the web is really moving to using HTTPS (thank you Google/Chrome!) This change is long overdue, and it will be good to finally be able to eliminate the vulnerability of HTTP.
“But“, cry some customers, “I don’t wanna pay for certificates!“.
Bought TLS certificates, well, cost money, and often non-technical customers don’t see any value in them. All they see is cost. If only there were a free alternative.
Good news! LetsEncrypt freely offer free DV certificates for free. That is, in fact, their raison d’être. Bad news – they only last 90 days. Bugger. Our support team won’t dreadfully want to have to renew lots of certs every 90 days. If only this could be automated… Wait, it can be!
One of my colleagues mentioned using WinAcme to get/renew certificates with LetsEncrypt, so I thought I’d give it a go. How hard can it be?
I set up a new Azure VM to try this on. I created a new public DNS name.
I also bound my IIS instance’s default site to that specific DNS name.
I then got WinAcme ( https://github.com/PKISharp/win-acme ). Downloaded, unzipped it, and in a command window, ran LetsEncrypt.exe. I chose to
- create a new certificate
- for a single binding to an IIS site
- with a host binding of xxxxxx.eastus.cloudapp.azure.com
- I gave it an email address to alert in the event of an error when renewing certs (<hint> this could be your helpdesk…</hint>)
- Then I agreed to Terms and Conditions…
… and it did it’s thing. It has:
Created a file for LetsEncrypt to verify that we own the server.
- Got a new certificate
- Installed it into the certificate store
- Added the new certificate’s binding in IIS
- Recorded the next renewal for this cert
- And it’s even set up a Scheduled Task to do renewals!
Voila! My site now supports HTTPS:
- WinAcme was less effort than setting up HTTPS on a site by hand. Provided customers are happy with using LetsEncrypt, and assuming renewals work reliably, why would you not use it? Well, some thoughts…
- Dealing with multiple load balanced CD servers. This could get more complicated – they’ll need to share the certificate. It’s not clear to me how this would work.
- This will only work with public site bindings. The LetsEncrypt service must be able to contact your website directly (to check ownership). If you’ve working on a non-public site, all bets are off.
- LetsEncrypt only offer Domain Validated (DV) certs. These offer no verification of identity. I could create a site and get a DV cert angelsandpuppies.com when I am, in fact, Satan. However, traffic to the site would at least be encrypted…
All in all, I was quite impressed.