This article describes the procedure for obtaining a wildcard certificate from Let's Encrypt using the Certify The Web application. Before proceeding, review the article Obtaining a Server Certificate from Let's Encrypt Using Certify The Web. The prerequisites described in that article are the same in this scenario.
This scenario is for those cases when an MSP would like multiple fully qualified domain names to resolve to the same CentreStack host (or cluster). For example, suppose an MSP wanted to have three different URLs, one for each tenant:
This could be accomplished using the wildcard certificate *.acmedrive.com.
This article describes the configuration of AWS Route 53 for the purposes of Let's Encrypt "dns-01 challenge" automation. Certify The Web supports other DNS providers and is not limited to AWS Route 53 only.
Update IIS Bindings with Server Name Indication
Unlike the simple single server name setup documented in Obtaining a Server Certificate from Let's Encrypt Using Certify The Web, this scenario is complicated by having the same CentreStack IIS web server respond to multiple FQDNs. This is accomplished by leveraging the Server Name Indication (SNI) feature available in Windows Server 2012 and later. The host names and SNI settings must be enabled prior to configuring Certify The Web in order for Certify to be able to automatically update the bindings when a new certificate is installed.
- In IIS Manager navigate to the Default Web Site and click Bindings in the Actions pane:
- For each host name that this IIS server will respond to, in the Site Bindings dialog click the Add button.
- In the Add Site Binding dialog:
- In the Type drop-down, select https
- In the IP address leave it as All Unassigned
- In the Port leave it as 443
- Add a Host name applicable to your DNS deployment
- Enable Require Server Name Indication
- Leave SSL certificate as localhost (the self-signed certificate that is installed by IIS):
Click the OK button
- Repeat the Add binding process for each host name.
- The test system used for this test looks like this:
- There is one binding entry without a host name that is created by the IIS installation that can be left "as-is":
This can be thought of as the "default" binding and is used when the client browser does not set the SNI.
Configure AWS Route 53
This procedure will create an AWS IAM account with limited access to update DNS records in a single DNS zone (domain) only.
- In the AWS Route 53 console, click on Hosted Zones on the left pane, then click on the radio button of the domain that will host the DNS record for the Let's Encrypt "dns-01 challenge". The Hosted Zone Details pane will be displayed.
- Select the text in the Hosted Zone ID field and copy it to the clipboard
- Save the attached Route53Policy.json file and open it in a text editor like Visual Studio Code.
- Replace the text <your_zone_id> with the Hosted Zone ID in the clipboard.
- Select all of the text in the editor and copy it to the clipboard.
- In the AWS IAM portal create a custom IAM policy.
- Click on the JSON tab and paste the text from the editor into the browser.
- Make sure the policy in the browser matches the text in your text editor. It will look similar to this:
- Click the Review Policy button.
- Give the policy a Name and Description:
- Click the Create Policy button.
- Click the Users option in the left pane of the AWS IAM console then click the Add user button.
- Give the user a descriptive name and ensure that only Programmatic access is allowed, then click the Next: Permissions button:
- Click the Attach existing policies directly button and select the IAM policy that was created earlier in this process, then click the Next: Review button:
- Click the Create user button:
- Click the Download .csv button:
- The downloaded .csv file will contain the Access Key ID and Secret access key that may be used to sign in programmatically as this IAM user. Best practice would be to store these credentials in a password vault such as LastPass and delete the .csv.
Install and Configure Certify The Web
- For each FQDN, create a DNS CNAME record that resolves to the actual FQDN host record (DNS A record) of the CentreStack server. Test that each CNAME FQDN resolves to the CentreStack server.
- Install Certify the Web (see Obtaining a Server Certificate from Let's Encrypt Using Certify The Web for step-by-step instructions).
- In the Certify The Web (Certify) application, click the New Certificate:
- In the Certificate Domains property sheet:
- Click the Show Advanced Options check box.
- Change the Select Website drop down to Default Web Site
- Type the name of your wildcard domain in the Add domains to certificate text box
- Click the ADD DOMAINS button:
- Click OK:
- Click Yes:
- Click the Authorization button to proceed to the next property sheet:
- In the Domain Authorization sheet:
- In the Domain Match text box enter your wildcard domain name.
- Change the Challenge Type drop-down to dns-01
- Change the DNS Update Method to Amazon Router 53 DNS API (for this example - your DNS provider may be different).
- Click the NEW button to the right of the Credentials drop-down:
- In the ADD/UPDATE STORED CREDENTIAL dialog:
- Change the API Provider Type drop-down to Amazon Route 53 DNS API
- In the Credential Name text box enter the IAM user name (although it is arbitrary and doesn't need to match the actual name)
- In the Access Key text box enter the Access Key ID for the IAM user created earlier in this procedure.
- In the Secret Access Key text box enter the Secret Access Key of the IAM user that was created earlier:
Click the SAVE button.
- Back in the Domain Authorization sheet, click the ellipses button then click the Select Zone drop-down. Select the zone that matches the zone where the Let's Encrypt record will be created and updated:
- Verify that the Zone Id in the DNS Zone Id text box matches the Zone Id in the IAM policy that was created earlier in this process:
- Click the Deployment button to proceed to the next sheet
- In the Certificate Deployment sheet:
- Set the Deployment Mode drop-down to Single Site (selected in Domains tab). This translates to "update the Default Web Site".
- Leave the Binding Add/Update drop-down as Add or Update https binding as required.
- In the Matching any of options enable both:
Existing binding hostname matches certificate domains
Binding hostname not specified (IP only or All Unassigned)
- Leave the Auto create/update IIS binding (uses SNI) enabled:
- Click the Preview button and review the actions that will be taken:
- Click the Save button
- Click the Test button:
- The Test may take some time as DNS records take some time to propagate.
- The Test should be successful, if it is click the right arrow to collapse the Test pane:
- If the test was successful click the Request Certificate button.
- Click the Settings tab:
- Click the Configure Auto Renew button
- Configure Auto Renewal to run as a background service:
- Back in the IIS Manager bindings, verify that each binding for TCP 443 shows the new certificate. For example:
- "Default" (when no SNI is set by the browser):
- When the SNI "myfiles.acmedrive.com" is set (for this example):
- When the SNI is set to "unifiles.acmedrive.com":
- "Default" (when no SNI is set by the browser):
- In a client browser navigate to all three server names (the A record and the two CNAME records). Each should show a valid certificate issued by Let's Encrypt.