Windows SERVER2008R2 request free let ' s encrypt certificate

Let's Encrypt project (https://letsencrypt.org/) is a new digital certification authority CA, LED and developed by the Internet Security Research Group Isrg,internet Certificate Authority. The project aims to develop a free and open automated CA Suite and to provide the public with relevant certificate free issuance services to reduce the financial, technical and educational costs of secure communications. Over the past year, the Internet Security Research group has drawn up the ACME agreement and for the first time implemented a suite of applications using the Protocol: server-side Boulder and client letsencrypt.

Currently Le's certificate has been trusted by all browsers (XP can also be supported), in the browser address bar will display a green can be trusted flag, the certificate is valid for 90 days after installation, we need to renew the monthly certificate on a regular basis.

Previously deployed on Linux lets encrypt, very convenient direct Yum Certbot-auto can be, today need to deploy a Windows server2008r2+iis7.5. The first thing I used was:

Acmesharp:https://github.com/ebekker/ACMESharp

There are two ways to install Acmesharp:

1. If your server PowerShell version is more than 5.0, run open PowerShell execution with Administrator privileges:

Ps> Install-module-name Acmesharp

To install ACMESHARP, the installation process needs to look at the network situation, the server has a conditional VPN installation, no conditions to try more than a few times.
2. If your server PowerShell version is 3.0 or 4.0, you need to install the chocolatey command line Package Manager on PowerShell first and then use chocolatey to install it.
Execute in PowerShell:

Ps> IEX (New-object net.webclient). Downloadstring (' Https://chocolatey.org/install.ps1 '))

To install the chocolatey command-line Package Manager, and then execute:

Ps> Choco Install Acmesharp-posh-all

First you have to be sure what version of PowerShell you have, and here the direct administrator runs PowerShell input:

Ps> Get-host Name:consolehostversion:5.1.14393.1532instanceid:1e00ccb9-a961-4c81-89ed-b22 Bc1f280c4ui:system.management.automation.internal.host.internalhostuserinterfacecurrentculture:zh-cncurrent Uiculture:zh-cnprivatedata:microsoft.powershell.consolehost+consolecolorproxydebuggerenabled: TrueIsRunspacePushed:FalseRunspace:System.Management.Automation.Runspaces.LocalRunspace

This is my own WINDOWS10 running results, from version can see versions, Windows SERVER2008R2 version is 2.0, in order to facilitate the installation I am ready to upgrade PowerShell.

Upgrading is three simple steps:

1. Install the. NET Framework 4.6.2, download Ndp462-kb3151800-x86-x64-allos-enu.exe, install.

2, install PowerShell 4.0 (5.0 dependent 4.0), download WINDOWS6.1-KB2819745-X64-MULTIPKG.MSU, install.

3, install PowerShell 5.0, download WIN7ANDW2K8R2-KB3134760-X64.MSU, install.

Restart the server to complete the upgrade.

Acmesharp installation is complete, let's apply for the Le Certificate:

Open PowerShell with Administrator status

First step: Import the Acmesharp module

Ps> Import-module Acmesharp

There is an error here, unable to run the script, prompting the system to disable the workaround:

Because the default security settings for PowerShell disable execution scripts, you need administrator privileges to enable this feature.

Open:set-executionpolicy remotesigned

Shut down:Set-ExecutionPolicy Restricted

Step Two: Initialize Acmevault to save and manage certificate information

Ps> Initialize-acmevault

Step three: Fill in the registration information in Le, accept the registration agreement

Ps> new-acmeregistration-contacts Mailto:[email protected]-accepttos

Fourth step: Create a domain ID you want to apply for

ps> New-acmeidentifier-dns Myserver.example.com-alias dns1

Fifth step: Certified Domain name ownership

If the IIS Web server is executing:

ps> complete-acmechallenge dns1-challengetype http-01-handler iis-handlerparameters @{WebSiteRef = ' Default Web Sit E '}

If it is a different Web server, such as Nginx needs its own configuration of execution:

ps> complete-acmechallenge dns1 -challengetype http-01 -handler manual==  Manual Challenge Handler - HTTP ==  * Handle Time:       [1/12/2016 1:16:34 PM]  * Challenge Token:   [2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]To complete this Challenge please  Create a new fileunder the server that is responding to the  hostnameand path given with the following characteristics:  *  http url:     [http://myserver.example.com/.well-known/acme-challenge/ 2yrd04twqizth6twlz1azl15qiogairmx8mjaoa5qh0]  * file path:    [. Well-known/acme-challenge/2yrd04twqizth6twlz1azl15qiogairmx8mjaoa5qh0]  * file content:  [2yrd04twqizth6twlz1azl15qiogairmx8mjaoa5qh0.h3urk7qfuvhyyzqjysfc9em25rtdn7bn4pwil37rgms]  * mime type:     [text/plain]  ------------------------------------

After execution, look at the server that returned the result Le will access your address when the next step is performed:

http://myserver.example.com/.well-known/acme-challenge/2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0

The text content returned is:

2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0.H3URk7qFUvhyYzqJySfc9eM25RTDN7bN4pwil37Rgms

.well-knownFolders may not be created directly under Windows and need to be created under the command line.

If ready, let's move on to the next step.

Sixth step: Submit the Certification

ps> Submit-acmechallenge Dns1-challengetype http-01

After submission we will need to wait for the Le server to verify that we can pass the command:

Ps> update-acmeidentifier dns1 ... Status:valid ...

To check the validation status:
peddingWaiting to be validated
validValidation by
invalidValidation fails if validation fails and needs to be re-requested once

I was invalid here, and I thought I couldn't do it. Various IIS permissions have been tried, and then suddenly think of a previously saved site has all lets encrypt deployment tools (https://letsencrypt.org/docs/ client-options/), found a deployment tool for Windows with a GUI-

Certify SSL Manager

Home page for downloads and info: https://certifytheweb.com/650) this.width=650; "Src=" https:// camo.githubusercontent.com/8683b3c1a3cc120885e0fef3e39bacef05641293/ 68747470733a2f2f636572746966797468657765622e636f6d2f696d616765732f73637265656e332e706e67 "alt=" App Screenshot "/ >

Directly docking IIS7.0 above, a button on the deployment of HTTPS!! Not too Cool ~ ~ finally found a Windows lets encrypt deployment weapon!!

This article from the "Technology" blog, declined to reprint!

Windows SERVER2008R2 Request a free let ' s encrypt certificate