While most global Certificate Authorities (CA) earns money from selling certificates, LetsEncrypt is a non-profit that gives certificates away for free with a mission statement to make the internet more secure by making it free & easy to enable secure connections to websites.
Unpack the win-acme.zip file in an appropriate folder.
Open a command prompt in administrator mode.
Navigate the command prompt to the folder where you unpacked win-acme.zip.
shell> wacs.exe : start the Windows ACme Simple interactive shell program.
shell> n : choose 'n' for easy mode (only IIS and no wildcards in easy mode)
shell> <website IIS site identifier> : choose the website to install the certificate on by choosing the websites IIS site identifier (in my case '8' for a website called downloadvideo)
shell> a : select which bindings you want the certificate to be for, even if I only have 1 binding for that particular website, I still have to select (here I select all bindings).
shell> y : confirm your selection.
shell> y : load 'Terms of service' in your default pdf reader (in my case the Edge browser) if you want to read them.
shell> y : confirm that you agree with the 'Terms of service'.
shell> <your email address> : write the email address on which you want to get notified with any problems regarding this certificate.
Certificate successfully CREATED!
Certifcate installed (
In IIS Server Certificates, you can see the certificate have been added.
Further in IIS you can see the certificate have been applied to your website
In addition you can find the certificate on your harddisk here: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
Scheduled task installed (indeed you can find the win-acme certificate update task in the Task Scheduler)
Enforce the secure connection
After installing the certificate and tested that it works, it gives meaning to enforce that SSL/TLS is always used, that is: your website should always use the https not the http protocol.
Since most users do NOT specify the protocol then writing a url and browsers in that case may assume the non-secure protocol, you do NOT want to delete the unsecure http binding (don't delete this)
The best solution is to create a Redirect rule in IIS redirecting all http (unsecure) requests to https (secure) requests, see IIS Redirects for how to implement a http to https (http -> https) redirect.
SAN Certificates
Often we have one or more sub domains, eg. www, we also want to secure and rather than creating a certificate for each and every sub domain, it is more convenient (and more satisfying) to create a single certificate that applies to multiple domains (here main domain & sub domains) - a SAN (Subject Alternate Name) certificate.
Steps to install a LetsEncrypt SSL/TSL SAN Certificate:
Open a command prompt in administrator mode.
Navigate the command prompt to the folder where you unpacked win-acme.zip.
shell> wacs : start the Windows ACme Simple interactive shell program.
shell> m : select 'm' for full options (just for fun, the SAN certificate can also be done in default settings).
shell> 1 : let win-acme read the bindings from IIS.
shell> <website IIS site identifier> : select the website for which to create the SAN certificate (in my case 'webmodelling' having IIS site identifier 2).
shell> a : win-acme shows the bindings for the selected website (here webmodelling.com & www.webmodelling.com). Select 'a' to choose that the SAN certificate should be applied to ALL bindings.
shell> 1 : select which binding you want to show as subject on the SAN certificate (in my case webmodelling.com, so 1).
shell> y : confirm.
shell> <ENTER> : different from 1 certificate for 1 binding, for a SAN certificate win-acme allows you to choose HOW to prove ownership. I don't understand the options, so I select the default by pressing Enter.
shell> 2 : select between 2 key formats, I choose the default RSA.
shell> 4 : select where to store the certificate, I don't understand the differences so I select the default "Windows Certificate Store".
shell> 5 : you can select multiple stores for the certificate, but I am happy as it is so I choose "No <additional> store steps".
shell> 1 : I would like to have win-acme create the httpS bindings for me in IIS, so I choose '1'.
shell> n : I don't understand this step, so I choose no.
shell> 4 : no I don't want to add more steps after the httpS bindings was created - let's get going :
SAN Certificate sucessfully CREATED
The certificate have been added to IIS Certificates
In bindings I can see that the httpS bindings have indeed been created and the same certificate is used for both bindings.
In filesystem I can see the certificate file.
Note that a SAN certificate does NOT include any future sub domains (it is clear from the way a SAN certificate is created, however I also tested it). If you add a sub domain and you want it to be included in your SAN certificate, you need to update that certificate.
Wildcard Certificate
A wildcard certificate is (as I understand it, which could easily be wrong) a certificate that applies to a wildcard host header, however wildcard host headers are first supported on IIS 10, which needs to be installed on Windows 2016 or higher and since my server is a Windows 2012R2, I cannot test the wildcard certificate as of yet.
Certificate Renewal
Since certifcates expire, it is necessary to renew the certificates from time to time.
However, then installing a certificate using win-acme, a certificate update task is automatically added to the Task Scheduler and so it is typically not necessary to manually update your certificate.
In Task Scheduler, the win-acme task will call wacs.exe with --renew & the --baseuri to the certificate authority that are to do the renewal.
Called with --renew, the WACS program will search the win-acme Config folder, C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\, for .renewal.json files and execute renewal for each certificate as specified in the .renewal.json files.
Even if win-acme automates the certificate renewal task through Task Scheduler, it does not hurt to know how to manually renew your LetsEncrypt certificates.
Steps to renew a LetsEncrypt SSL/TLS certificate:
Open a command prompt in administrator mode and navigate to your win-acme installation folder.
shell> wacs : start the interactive Cert Client.
shell> a : manage renewals.
shell> d : let's check certificate details to get certificate friendly names, which we will then use to filter which certificate to apply renewal for. Friendly name is "[Auto] [IIS] downloadvideo. <any host>".
shell> <ESC> : since the certificate I am interested in was the first displayed I just press ESC to abort, however otherwise press ENTER until the relevant certificate is displayed.
shell> f : Filter which certificate to use.
shell> 1 : Choose to filter by friendly name.
shell> *downloadvideo* : we can use * to represent any number of of any character to match the friendly name for the certficate we are interested in.
shell> r : renew the selected certificate.
Certificate successfully RENEWED.
Certificate Revocation
Revoking a certificate means that LetsEncrypt will add the certificate to a list of revoked certificates. LetsEncrypt states themselves that it is unclear to what extent browsers will check the revoked certificates list from LetsEncrypt, but to the extent they do, browsers will not accept such a certificate.
LetsEncrypt states that we should only revoke certificates in case of a security breach, eg. if the private key have been compromized.
Steps to revoke a LetsEncrypt SSL/TLS certificate:
Open a command prompt in administrator mode and navigate to your win-acme installation folder.
shell> wacs : start the interactive Cert Client.
shell> a : manage renewals.
Select the certificate you want to revoke (same as under renewing a specific certificate above)
shell> d : find friendly name of the certificate you want to revoke by scrolling through certificate details. Here the first certificate is the one I want with friendly name "[Auto] [IIS] downloadvideo. <any host>".
shell> <ESC> : I found the friendly name so I can abort, otherwise keep scrolling.
shell> f : Filter which certificate to use.
shell> 1 : Choose to filter by friendly name.
shell> *downloadvideo* : specify the friendly name of the certificate here using * to avoid writing the full name.
shell> v : revoke the selected certificate(s).
shell> well, I am not continuing this time!
If there have been no security breach and you want to get rid of the certificate, you can choose to delete the certificate instead.
Certificate Deletion
There can be several reasons for deleting a certificate, however the most important reason is likely If you want to use another Cert Client, another Certificate Authority or like me you have just fumbled around and need a good cleanup.
While you can cancel a renewal just by deleting the relevant .renewal.json file in the win-acme Config folder, the certificate still exists on your harddrive and is still present in IIS Certificates (as well as showing up in Certificate Manager and Registry), which can fast evolve into an obscure mess - therefore it is nice to actually delete a certificate.
What does delete a certificate mean :
It does NOT mean that we revoke the certificate (revoking a certificate is telling LetsEncrypt to revoke it, which is only necessary if the private key have been compromised).
Delete any traces of the certificate on your computer.
Steps to delete a LetsEncrypt SSL/TLS certificate created with win-acme:
Identify traces of the relevant certificate (here for the webmodelling.com website)
Computer Certificate Manager
Open the computer certificate manager
Open "Web Hosting" > "Certificates" to see a list of all web hosting certificates installed.
IIS Certificates
Open IIS and navigate to "Server Certificates".
In the IIS "Server Certificates" store, we can see all web host certificates.
IIS Website Bindings
In IIS navigate to "Sites" > "<your site>", right click and select "Edit Bindings..".
In the "Sites Bindings" dialog select a 443 port entry and click the "Edit" button to reveal the SSL certificate.
win-acme Config folder
Navigate a file explorer to the win-acme Config folder "C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\".
Each .renewal.json file represents a certificate that will be renewed then calling shell> win-acme --renew ... I open each .renewal.json file until I find the relevant one.
In the "\Order\" subfolder open each .order.json file undtil you find the relevant one (.order.json contains the certificate request to LetsEncrypt).
The "\Certificates\" subfolder contains the key pairs, however the .pfx is binary and the .pem is base64 encoded, so to find the relevant key pair files :
Base64 encode a relevant part of the certificate friendly name, in my case "webmodelling", which in Base64 is "d2VibW9kZWxsaW5n".
Open each .pem file and search for the Base64 encoded string until you find the relevant file,
Registry ??
I cannot find any Registry entry for win-acme v2 certificates (however, the old letsencrypt-win-simple acme v1 installed Registry entries)
Delete the certificate
Open the Computer Certificate Manager
Navigate to "Web Hosting" > "Certificates", right click on the relevant certificate and click on "Delete" on the shortcut menu.
Confirm that you want to delete this certificate.
The certificate is deleted from the Computer Certifcate store.
Open IIS and navigate to IIS Certifices.
The deleted certificate is no longer listed.
Edit bindings for the website(s) that used the certificate.
Select an httpS entry and click the "Edit" button. The SSL certificate is set to "Not selected" since the certificate no longer exists. However, it gives no meaning to have an https entry without a certificate.
In the Site Bindings dialog select all httpS entries one at a time and click the "Remove" button. No more invalid httpS bindings.
Navigate a file explorer to the win-acme Config folder
Delete the .renewal.json file found above.
Delete the .order.json file found above in the "\Orders\" subfolder..
Delete the .pem & .pfx pair found above in the "\Certificates\" subfolder.
Certificate is successfully deleted.
Note that even if you have successfully deleted a certificated, browsers may still hold a cached version, however by deleting the invalid httpS bindings in IIS, you effectively prohibit browsers from using any cached version of the certificate.
Also note that LetsEncrypt sets a "rate limit" at 50 new and 5 duplicate certificates per week per registered domain. The duplicate rate limit can fast become a problem then deleting certificates for a domain that you want to create a new certificate for (LetsEncrypt rate limit).
Add new name (subdomain) to an existing Certificate
It seems that certificates are read-only and therefore adding a new name to a certificate is NOT possible.
Then adding a new subdomain to your DNS, you have 2 options :
Either request a new certificate for that particular subdomain.
Or request a new SAN certificate for the main domain and all it's subdomains.
If you choose to request LetsEncrypt for a new SAN certificate, the old certificate will still work (even though the creation process allows you to specify that the old certificate should not be renewed) - to keep my certificate collection lean, I always go through the deletion (but not revoking) process for any certificate that I no longer need.
NONCE : a nonce is a word created to be used for a single occasion and then discarded. In cryptography a nonce is typically a random number that is unlikely to be created more than once typically with a timeout embedded in the number so the nonce cannot be used later on in another session (eg. an encrypted message without a nonce inserting money on your bank account you would be able to resend multiple times, but with a nonce you can receive the money only once).
PFX : Personal eXchange Format : Contains both public & private key for the associated certificate in a binary format.
PEM : Privacy Enhanced Mail : Contains the certificate in a Base64 encoded ASCII format.
SAN Certificate : Subject Alternate Name : Allows multiple hostnames to be protected by a single certificate.
RSA : Rivest-Shamir-Adleman (initial letters of the surnames of the 3 people who described the algoritm in 1977) : I think the first? publicised public-private encrypting/decrypting method.
Prove to the CA (letsencrypt.org) that my web server controls the domain
The Cert Client prepares a key pair.
The Cert Client asks the CA what it need to do in order to prove that the server controls the domain.
CA will based on the domain name issue one or more challenges for the Cert Client typically to provide a file on the server that can be requested using http.
CA will also ask the Cert Client to prove it controls the key pair by having the Cert Client to use it’s private key to sign a nonce (which the CA then can decrypt using the public key).
The agent complete the challenges and notify the CA that it is finished (ready for validation).
The CA checks the challenges (typically downloading the file that the Cert Client saved on an http endpoint) including the signature on the nonce.
If the challenges and the nonce signing panned out, then the CA will authorize the Cert Client identified by its key pairs to send certificate management messages – the key pair is now called an authorized key pair.
Request (and renew and revoke) a certificate for that domain
The agent constructs a PKCS#10 Certificate Signing Request to the CA to issue a certificate for a specific domain. The CSR includes a signature with some private key which responds to a public key embedded in the CSR. The whole CSR is signed with the private key that the CA has authorized for the domain.
The CA verifies both signatures and if passing, the CA issues a certificate for the domain using the public key from the CSR and sends the certificate to the Cert Client.
Appendix : IIS Express Self-Signed Certificate
While Visual Studio will ask you if you want to create a self-signed certificate at least the first time when creating an https app url, it will sometimes NOT work.
For me it have then always worked recreating that self-signed certificate.
How to re-create a self-signed certificate for IIS Express : (also called IIS Express Develeopment Certificate)
Open a command prompt as administrator
Execute the following command : IisExpressAdminCmd.exe setupsslUrl -url:YourAppUrl -UseSelfSigned , eg. in my case for developing on topics.online, I use https://dev.topiqs.online:443 for SSL app url : IisExpressAdminCmd.exe setupsslUrl -url:https://dev.topiqs.online:443/ -UseSelfSigned
Chrome & Firefox responses to certificate problems (in case of https) :
No certificated detected :
Chrome : err-connection
Firefox : Secure connection failed
Invalid certificate : (note that both Chrome & FF will evaluate your self-signed certificate as invalid, but once you against their recommendation accept the risk, both Chrome & FF will not alert you again)
Chrome :
Firefox :
How to list all your certificates :
Press Windows+R to open the Run dialog.
Write mmc in the Run dialog and click ok to open the MMC console.
In the MMC console click on the File menu and select "Add/Remove" snap-in.
Find Certificates in the left hand pane and double click on it to select the account for which you want to list certificates and click the Finish button (typically you want "My user account").
If you don't want to add any more snap-ins (eg. maybe you want to add snap-ins for the other available accounts), click on the Ok-button in the Add or Remove Snap-Ins dialog.
You can now browse all certificates for the account(s) you selected above (if you created an IIS Express Development Certificate using the IisExpressAdminCmd command, you can find the certificate under "Console Root" | "Certificates - Current User" | " Personal" | "Certificates".
Appendix : Common Errors & Solutions
Error 1 : "(Exception): AcmeClient was unable to find or create an account".
Reason :
Navigate a file explorer to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log\ folder.
Open the relevant log file in a text editor.
Investigate the log file for any information related to the error, in my case I had "JWS has an invalid anti-replay nonce".
invalid anti-replay nonce is likely just a timed-out anti-replay nonce suggesting I have used too much time in the certificate creation menu (though I am not sure if the particular nonce used requires clock synchronization between my server and LetsEncrypt server, in which case that could be the problem).
Solution 1 :
Just restart the certificate creation process and don't pause the process going for toilet or coffee - this worked for me.
Solution 2 : (if the above solution is not working - warning: this solution will delete all win-acme installed certificates)
Navigate to your "C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\" folder.
Delete the 2 files :
Registration_v2
Signer_v2
Navigate to your "C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates" folder.
Definitely a problem, but the problem is refering to an IP address that gives no meaning, anyway it suggest I should check the DNS settings.
No such strange IP address in the DNS, however there is an unnecessary URL Redirect record, which I cannot remember why I have added, so I deleted it and tested letsdebug again.
It works ! (but I don't understand why)
Reason 2 : It seems the most common reason for this error is that the domain is not globally accessible on port 80, eg. a firewall is blocking it or another program is listening on port 80 or the request is not properly routed via the webserver.
Solution 1 : In my case I just deleted the offending DNS Url Redirect record and it worked.
Solution 2 : Make sure your domain is globally accessible on port 80.
Popup's are required for topiqs.online core functionality - opening a collection of urls in tabs. Here is how to allow popup's for topiqs.online in various browsers.
In Chrome you can allow popups for topiqs.online from the right corner of the url-field :
In FireFox you will get a very easy to spot yellow dialog with an options button you can click to allow popups for topiqs.online.
In Edge the option to allow popups for topiqs.online is located at the bottom of the browser window. (Note that the Edge version of writing does NOT allow you to revoke popup permissions once granted).
In Internet Explorer 11 the option to allow popups for topiqs.online is located at the bottom of the browser window.