According to the Let's Encrypt website:
"Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG)."
According to the Certify The Web documentation:
"Certify The Web (a.k.a Certify) is a Let's Encrypt GUI for Windows, allowing you to request, deploy and auto-renew free SSL/TLS certificates from the letsencrypt.org Certificate Authority"
This document will describe how to install and configure Certify The Web to automate the process of requesting, installing and renewing a server certificate for use on CentreStack.
- CentreStack must be installed. The Certify configuration will require a working web site in order for the "http-01 challenge" process to succeed.
- The CentreStack server must have a fully qualified domain (FQDN) that resolves to a publicly accessible IP address. The Let's Encrypt service will call back to the CentreStack server over TCP 80 to verify the web server's identity. This is part of the "http-01 challenge" process.
- TCP port 80 and TCP port 443 for the CentreStack server's public IP must be port forwarded by the firewall to the private IP address of the CentreStack server.
- TCP port 80 and TCP port 443 must be allowed in the Windows software firewall (this is the default when IIS is installed on Windows).
Install Certify The Web ("Certify")
- Navigate to: https://certifytheweb.com
- Click the download button to download the latest version of Certify:
- Run the installer "as Administrator":
- Accept the license agreement and then click the Next button:
- Leave the default installation path then click the Next button:
- Click the Next button:
- Click the Install button:
- Click the Finish button:
Configure Certify the Web
- Launch Certify The Web,
- The Certify user interface will be displayed. Click the New Certificate button:
- this message will be displayed, click the OK button:
- Enter your email address then click the Yes, I Agree option and the REGISTER CONTACT button:
- In the Certificate Domains property sheet:
- Change the Select Website drop-down to show the Default Web Site,
- Add your fully qualified domain name (FQDN) in the Add domains to certificate text box. In our example screenshots the certificate will be configured for the FQDN "fileshare.acmedrive.com".
- Click the ADD DOMAINS button:
- Once the ADD DOMAINS button was clicked a new row is added to the property sheet to reflect that the subject of the certificate will be the FQDN specified.
Click the Authorization button to proceed to the next property sheet.
- The Domain Authorization sheet requires the Website Root Directory. Start IIS Manager and navigate in the left tree pane to the Default Web Site, then click on the Basic Settings option in the right Actions pane:
- Select the text in the Physical Path text box and copy it to the clipboard:
- Return to the Certify The Web app and in the Domain Authorization property sheet:
- Set the Challenge Type drop-down to: http-01
- Paste the text from the clipboard into the Website Root Directory text box:
Then click the Deployment button to proceed to the next property sheet.
- In the Certificate Deployment sheet:
- Change the Deployment Mode drop-down to Single Site (selected in Domains tab)
- Leave Binding Add/Update as Add or Update https bindings as required
- In the Matching any of section enable Binding hostname not specified (IP only or All Unassigned)
- Leave Auto create/update IIS bindings (uses SNI):
Click the Test button
- Assuming the test completes successfully click the right arrow to collapse the Test Progress pane:
- If the test were successful proceed by clicking the Request Certificate button:
If the test was unsuccessful, see the Troubleshooting section at the end of this article.
- The request process will begin:
- It should complete successfully:
- Click the Settings tab, the defaults are acceptable:
Verify the Certificate Installation
- In IIS Manager, check the bindings for TCP 443. Navigate to the Default Web Site in the left pane and click on Bindings in the Actions pane on the right:
- In the Site Bindings dialog, select the row for https, port 443, then click the Edit button:
- You should see that Certify installed the certificate it obtained and bound it to All Unassigned for TCP port 443:
Click on the View button.
- The certificate information will be displayed. Notice that Let's Encrypt certificate expire in 90 days. This is OK since Certify will renew the certificate every 14 days by default.
Click on the Certification Path tab
- This shows the Certification Path:
- Use a browser on a client PC to verify the certificate is valid for your website:
If the http-01 challenge fails it could be caused by this issue: https://github.com/ebekker/ACMESharp/issues/15
Attempt to navigate to this URL from a browser outside the CentreStack server's network: http://<fqdn>/.well-known/acme-challenge/configcheck
If you receive a 404 error save this text as "C:\Program Files (x86)\Gladinet Cloud Enterprise\root\.well-known\acme-challenge\web.config" as described here: https://github.com/ebekker/ACMESharp/issues/15#issuecomment-231272435