Hi,

After upgrading to v1.7 I'm not prompted to add an email address as I already have a registration in place. Do I need to remove this (re-generate all certificates too?) or can I add an email to an existing one?

HTTP Error 404.17 - Not Found
The requested content appears to be script and will not be served by the static file handler.

Authorization fails with the above error when I run the setup process and when I look at the address in a browser.

I guess i have a problem with my IIS but what - is it mime type??
Its windows server 2012 IIS 8

Thanks in advance
Rasmus

Hi,
Runs through fine, adds the certificate, private key, scheduled task, binding, etc. etc. but the site stops and says "the process cannot access the file becuase it is being used by another process (Exception from HRESULT: 0x80070020).
If I remove the newly created binding, then the site starts fine.

Hello, I've just tested Let's Encrypt Simple on my blog site and it seems there are some issues. If HTTPS binding already exists for website and SNI checkbox is checked for this website, issued certificate cannot be placed under Certificates (Local Computer) -> Personal storage but it has to be under Certificates (Local Computer) -> Web Hosting storage.
Unfortunately the issuing process has to be completed in Personal then it's necessary to export it to PFX, delete the issued certificate from Personal, import from the PFX file to Web Hosting and modify IIS website bindings finally. I haven't found a better way.

If there is no HTTPS binding for a website it would be great to ask the user if the new certificate is requested with SNI support (so the previous text applies) or without SNI support (this is how it works now).

I have recently deleted a domain from my server and have removed the certificate for it. The problem I’m getting is that the certificate is still showing in the list of renewals (ie. letsencrypt.exe --renew) so it looks like the certificate will be renewed even though I don't need it any more.

Is there a way of editing the certificates in the renewal list so I can remove the ones that I no longer require?

Thanks,

Dylan

Would it be possible to change the date format of the friendly name of the certificates?
To be able to sort it would make more sense to have yyyy-mm-dd instead of dd-mm-yyyy

Is there a option to enable somekind of logging feature?

I am trying to track down what the names of pem files this exports vs the "standard" names that are listed here (http://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates)? Specifically fullchain.pem (the key file was pretty easy to track down). I am getting browser errors that the issuer chain wasn't proved when running nginx and I believe it's due to not using the fullchain.

Everything worked perfectly for me and I see there is a renewal job setup for 60 days from now.

I am wondering if the letsencrypt renewal command will tell the api to look at the https version of my site so I can turn off port 80 at my firewall?

Thanks for this awesome work!

Hi,

Due to the rate limits imposed by Lets Encrypt I could only set up 5 of the bindings :( - However it would be a nice addition that if your program realised that the bindings share the same domain suffix, so: service1.blah.com, service2.blah.com, it batched them together to get one certificate with multiple subdomains registered on it.

I'd like this functionality, but I don't really want to go the complication of learning and using ACMESharp just for this one feature.

Any chance?

Thanks

Last week, I couldn't figure out why, when running your client, ACME wasn't able to read the well-known answer file. I could access it perfectly fine from my phone, so why couldn't the ACME server?
The only error message I got was to check the handler mappings.
It wasn't until yesterday, when I was attempting to do it manually using Let's Encrypt's beta Mac client that I finally discovered what the problem was: My server was returning a HTTP:401 Unauthorised response.
Once I'd fixed that, your client worked perfectly.
If your client had been able to detect and report back that error, I would have been able to fix it straight away.

Are you guys looking into Apache too? Would be great to have it work with it!

First of all thank you for this great tool! 👍 🏆

Currently I have version 1.1 on my server and it has generated perfect certificates and has created a scheduled task to do the renewals.
To move to a new version do I just replace all the old files with the ones from the new release?

I had just done xtremeidiots.com and it had worked fine, unsure of cause.

Which binding do you want to get a cert for: 15

Authorizing Identifier www.xtremeidiots.com Using Challenge Type http-01

Unhandled Exception: LetsEncrypt.ACME.AcmeClient+AcmeWebException: Unexpected er
ror ---> System.Net.WebException: The remote server returned an error: (500) Int
ernal Server Error.
at System.Net.HttpWebRequest.GetResponse()
at LetsEncrypt.ACME.AcmeClient.RequestHttpPost(Uri uri, Object message) in C:
\Users\bryan\Documents\letsencrypt-win-simple\letsencrypt-win\letsencrypt-win\Le
tsEncrypt.ACME\AcmeClient.cs:line 591
--- End of inner exception stack trace ---
at LetsEncrypt.ACME.AcmeClient.AuthorizeIdentifier(String dnsIdentifier) in C
:\Users\bryan\Documents\letsencrypt-win-simple\letsencrypt-win\letsencrypt-win\L
etsEncrypt.ACME\AcmeClient.cs:line 261
at LetsEncrypt.ACME.Simple.Program.Authorize(String dnsIdentifier, String web
RootPath) in C:\Users\bryan\Documents\letsencrypt-win-simple\letsencrypt-win-sim
ple\Program.cs:line 544
at LetsEncrypt.ACME.Simple.Program.Auto(TargetBinding binding) in C:\Users\br
yan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 224
at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\bryan\Docu
ments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 175

For those of us that only manage and don't develop, a guide on how to compile would be appreciated.

If somebody can put the bones of a guide onto a wiki page, I'd be happy to flesh it out

Cheers

When the certificate is renewed, will the website restart or will the certificate only be added to cert-store and the IIS feature "Enable Automatic Rebind of Renewed Certificate" find the new certificate and use that instead?

My ASP.NET MVC 4 application breaks when moving the StaticFile handler above ExtensionlessUrl handler.

However, with the handlers the other way round, the ACME answer file is not served (as documented in letsencrypt-win-simple error message).

Suggest modifying the web.config file in the .well-known/acme-challenge directory as follows:

<?xml version = "1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <staticContent>
             <mimeMap fileExtension = ".*" mimeType="text/json" />
         </staticContent>

         <handlers>
           <clear />
           <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule" 
               resourceType="Either" requireAccess="Read" />  
         </handlers>
     </system.webServer>
 </configuration>

By removing all handler mappings except the StaticFileHandler from the acme-challenge directory, we can ensure that the file gets served.

I am getting the error about verification failed, YET I can browse the file in my browser and have it come up no problem.

Please help me help you fix this for 2012R2.

How can I get this working on 2012R2?

I used Let's Encrypt win simple for the first time today. I use SNI on the server to enable multiple HTTPS websites listening on the same IP address without the need of SAN certificate. I also use multiple host-headers (including IDN domain) but only one HTTPS binding for my website.

I would like to ask you to implement two improvements:

1. do not offer the same hostname twice (once from HTTP binding, once from HTTPS binding probably)
2. remove any hostname containing national characters (ie. using IDN domain names) from the scanning results - from what I found Let's Encrypt CA does not plan to support IDN domains in a near future

Regards

Radek

It looks like it added the cert to IIS correctly, but it failed with this message when attempting to commit the binding changes. I have my Administrator account renamed (for security, this is a best practice). Perhaps that has something to do with it?

 Opened Certificate Store "WebHosting"
 Adding Certificate to Store
 Closing Certificate Store
 Updating Existing https Binding
 Committing binding changes to IIS
System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been te
rminated
   at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoint endPoint, String hostName, HTTP_SERVIC
E_CONFIG_SSL_PARAM_MANAGED allSSLData, SslFlags sslFlags)
   at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoint endPoint, String hostName, Byte[] cert
ificateHash, String certificateStoreName, SslFlags sslFlags)
   at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()
   at Microsoft.Web.Administration.BindingManager.Save()
   at Microsoft.Web.Administration.ServerManager.CommitChanges()
   at LetsEncrypt.ACME.Simple.IISPlugin.Install(Target target, String pfxFilename, X509Store store, X509Certificate2 cer
tificate) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Plugin\IISPlugin.cs:line 116
   at LetsEncrypt.ACME.Simple.Program.Auto(Target binding) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencryp
t-win-simple\Program.cs:line 259
   at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt
-win-simple\Program.cs:line 180
Press enter to continue.

First off = THANK YOU to Lone-Coder for this great CLI application.

When running letsencrypt.exe, part of the output I get is as follows:

Creating Task letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org with 
Windows Task Scheduler at 9am every day.
Renewal Scheduled IIS dev.xvp.kunnect.com (D:\Applications\Web\Default) Renew After 2/5/2016

However when I look in the Windows Task Scheduler for said task, it does not seem to appear.

I ma able to run the Schtasks from the windows command line, and see the following:

C:\Windows >Schtasks

Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== 
GoogleUpdateTaskMachineCore              12/7/2015 8:36:00 PM   Ready
GoogleUpdateTaskMachineUA                12/7/2015 12:36:00 PM  Ready
letsencrypt-win-simple httpsacme-v01.api 12/8/2015 9:00:00 AM   Ready

I tried to do this trick to export the task, "rename" it in the XML output, and re-import the task, but the task name is not found on the command line either:

(https://technet.microsoft.com/en-us/library/cc709661.aspx)

Could you rename the task, perhaps without spaces, so that it is able to show up in the Windows Schedule Task MMC Taskschd.msc as well?

Thanks again.

Hi,

The web.config file created by letsencrypt-win-simple to allow iis to serve file without extension don't work in my environment (Server 2012R0 IIS 8.0) : the acme challenge response is not accessible (error 404). I had to edit the web.config manually and replace

By

(without star).

In IIS7 on a ClassicAppPool, adding the mime handler to the web.config file causes an internal server error. Perhaps there should be a flag to skip that part of the authorization provided that the user creates the MIME handler via appcmd.

@%SystemRoot%\System32\inetsrv\appcmd set config -section:staticContent -+"[fileExtension='.', mimeType='text/plain']"

Possibly down to not building it correctly, but as per screengrab http://pasteboard.co/XMMemWZ.png it gets the certificate and puts it into the certificate store, but does not apply it to the website, which I had expected it to from https://github.com/Lone-Coder/letsencrypt-win-simple#example-output.

To build, I installed VS 2015 Community, cloned the git repo, changed the Build | Configuration manager option from debug to release and then selected Build | Build Solution.

Cheers

First of all - NICE project man!
In default Let's encrypt is using 2048bit for the RSA-key, but there is the possibility to increase the keylength with the parameters "--rsa-key-size 4096". Could you add this feature to your project? Would be magnificent! Thx 👍

First, thank you Lone-Coder! This is a great tool to make using Let's Encrypt on IIS much easier.

I just wanted to point out that there is an issue with the task scheduler options, notably that the Task is initially configured to "run only when user is logged on", and so will fail to run every day unless you're logged in, generating errors as a result.

However, for now as a workaround, It's an easy enough fix:
1.) Open your Task Scheduler
2.) Click on the "Task Scheduler Library" entry on the tree on the left panel of the window
3.) Select your "letsencrypt-win-simple..." task
4.) On the bottom-right panel of the window, click "Properties".
5.) Towards the bottom of the new window, select the option "Run whether user is logged on or not".
5a.) This screen is where you can also change under which user account the command runs.
5b.) You can also change the time of day/how often the task runs under the "Triggers" tab.
5c.) If you want to change the location of the executable, or the command-line parameters under which it runs, then you can do that under the "Actions" tab.
6.) Click OK

Thanks again!

Not sure what's going on here... I'm on IIS7. It doesn't look like there's a "Web Hosting" certificate store - could that be it?

System.Security.Cryptography.CryptographicException: The system cannot find the
file specified.

   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags fla
gs)
   at LetsEncrypt.ACME.Simple.Program.InstallCertificate(Target binding, String
pfxFilename, X509Store& store, X509Certificate2& certificate) in C:\Users\Bryan\
Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 266
   at LetsEncrypt.ACME.Simple.Program.Auto(Target binding) in C:\Users\Bryan\Doc
uments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 239
   at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Docu
ments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 171

I get this error after getting the certificate:

Opening Certificate Store "WebHosting"
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
at LetsEncrypt.ACME.Simple.Program.InstallCertificate(Target binding, String pfxFilename, X509Store& store, X509Certificate2& certificate) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 266
at LetsEncrypt.ACME.Simple.Program.Auto(Target binding) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 239
at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 171

I'm not sure why that is...do I have to setup something with the certificate store in Windows?

Just downloaded your project to start tinkering with SSL certificates for IIS.
Downloaded: 0656bc6 version

Windows Server 2012R2
IIS 8.5

When running on Windows I get a stopped working error after selecting the IIS website I want to fetch a certificate for.

Running from an elevated Command Prompt

C:\letsencrypt>letsencrypt.exe
Let's Encrypt

Use production Let's Encrypt server? (Y/N)
ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\xxx\AppData\Roaming\LetsEncrypt\httpsacme-v01.
api.letsencrypt.org
Loading Signer from C:\Users\xxx\AppData\Roaming\LetsEncrypt\httpsacme
-v01.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\xxx\AppData\Roaming\LetsEncrypt\htt
psacme-v01.api.letsencrypt.org\Registration
Checking Renewals
 No scheduled renewals found.

Scanning IIS 7 Site Bindings for Hosts (Elevated Permissions Required)
IIS Bindings
 1: music.domain.com (C:\inetpub\wwwroot\Ampache)
 2: ebooks.domain.com (C:\inetpub\wwwroot\Calibre)
 3: tvseries.domain.com (C:\inetpub\wwwroot\Sickbeard)
 4: torrent.domain.com (C:\inetpub\wwwroot\uTorrent)
 5: movies.domain.com (C:\inetpub\wwwroot\CouchPotato)
 6: headphones.domain.com (C:\inetpub\wwwroot\HeadPhones)

 A: Get Certificates for All Bindings
 Q: Quit
Which binding do you want to get a cert for: 1

Authorizing Identifier music.domain.com Using Challenge Type http-01

Unhandled Exception: LetsEncrypt.ACME.AcmeClient+AcmeWebException: Unexpected er
ror ---> System.Net.WebException: The remote server returned an error: (403) For
bidden.
   at System.Net.HttpWebRequest.GetResponse()
   at LetsEncrypt.ACME.AcmeClient.RequestHttpPost(Uri uri, Object message) in C:
\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win\letsencrypt-win\Le
tsEncrypt.ACME\AcmeClient.cs:line 598
   --- End of inner exception stack trace ---
   at LetsEncrypt.ACME.AcmeClient.AuthorizeIdentifier(String dnsIdentifier) in C
:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win\letsencrypt-win\L
etsEncrypt.ACME\AcmeClient.cs:line 261
   at LetsEncrypt.ACME.Simple.Program.Authorize(String dnsIdentifier, String web
RootPath) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt-win-sim
ple\Program.cs:line 399
   at LetsEncrypt.ACME.Simple.Program.Auto(TargetBinding siteHost) in C:\Users\B
ryan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 200

   at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Docu
ments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 152

C:\letsencrypt>

It appears there are reference directly to your user folder "C:\Users\Bryan\Documents"

When not using the production server I get this:

C:\letsencrypt>letsencrypt.exe
Let's Encrypt

Use production Let's Encrypt server? (Y/N)
ACME Server: https://acme-staging.api.letsencrypt.org/
Config Folder: C:\Users\xxx\AppData\Roaming\LetsEncrypt\httpsacme-stag
ing.api.letsencrypt.org
Saving Signer

Getting AcmeServerDirectory
Calling Register
Do you agree to https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf?
 (Y/N)
Updating Registration
Saving Registration
Checking Renewals
 No scheduled renewals found.

Scanning IIS 7 Site Bindings for Hosts (Elevated Permissions Required)
IIS Bindings
 1: music.domain.com (C:\inetpub\wwwroot\Ampache)
 2: ebooks.domain.com (C:\inetpub\wwwroot\Calibre)
 3: tvseries.domain.com (C:\inetpub\wwwroot\Sickbeard)
 4: torrent.domain.com (C:\inetpub\wwwroot\uTorrent)
 5: movies.domain.com (C:\inetpub\wwwroot\CouchPotato)
 6: headphones.domain.com (C:\inetpub\wwwroot\HeadPhones)

 A: Get Certificates for All Bindings
 Q: Quit
Which binding do you want to get a cert for: 1

Authorizing Identifier music.domain.com Using Challenge Type http-01
 Writing challenge answer to C:\inetpub\wwwroot\Ampache\.well-known/acme-challen
ge/keyblablabla
 Writing web.config to add extensionless mime type to C:\inetpub\wwwroot\Ampache
\.well-known\acme-challenge\web.config
 Answer should now be browsable at http://music.domain.com/.well-known/acme-challen
ge/keyblablabla
 Submitting answer
 Refreshing authorization
 Authorization RESULT: valid
 Saving authorization record to: C:\Users\xxx\AppData\Roaming\LetsEncr
ypt\httpsacme-staging.api.letsencrypt.org\music.domain.com.auth

Requesting Certificate
 Request Status: Created
 Saving Certificate to music.domain.com-crt.der
 Saving Issuer Certificate to ca-009CF1912EA8D50908-crt.pem
 Saving Certificate to music.domain.com-all.pfx (with no password set)

Do you want to install the .pfx into the Certificate Store? (Y/N)
 Opening Certificate Store
 Loading .pfx
 Adding Certificate to Store
 Closing Certificate Store

Do you want to add an https IIS binding? (Y/N)
 Adding https Binding
 Commiting binding changes to IIS

Unhandled Exception: System.Runtime.InteropServices.COMException: A specified lo
gon session does not exist. It may already have been terminated. (Exception from
 HRESULT: 0x80070520)
   at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()
   at Microsoft.Web.Administration.Binding.AddSslCertificate(Byte[] certificateH
ash, String certificateStoreName)
   at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()
   at Microsoft.Web.Administration.BindingManager.Save()
   at Microsoft.Web.Administration.ServerManager.CommitChanges()
   at LetsEncrypt.ACME.Simple.Program.InstallCertificate(String pfxFilename, Sit
e site, String host) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencr
ypt-win-simple\Program.cs:line 299
   at LetsEncrypt.ACME.Simple.Program.GetCertificate(TargetBinding binding, Stri
ng dnsIdentifier) in C:\Users\Bryan\Documents\letsencrypt-win-simple\letsencrypt
-win-simple\Program.cs:line 267
   at LetsEncrypt.ACME.Simple.Program.Auto(TargetBinding siteHost) in C:\Users\B
ryan\Documents\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 203

   at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Docu
ments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 152

C:\letsencrypt>

When making new releases it should be good if the assembly version was updated to easy be able to see the version of the letencrypt.exe-file to not manual remember the version that is used on each server.

Committing binding changes to IIS
System.ComponentModel.Win32Exception (0x80004005): A specified logon session doe
s not exist. It may already have been terminated
at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoin
t endPoint, String hostName, HTTP_SERVICE_CONFIG_SSL_PARAM_MANAGED allSSLData, S
slFlags sslFlags)
at Microsoft.Web.Management.Utility.HttpApiWrapper.CreateSSLBinding(IPEndPoin
t endPoint, String hostName, Byte[] certificateHash, String certificateStoreName
, SslFlags sslFlags)
at Microsoft.Web.Administration.BindingManager.BindingTransaction.Commit()
at Microsoft.Web.Administration.BindingManager.Save()
at Microsoft.Web.Administration.ServerManager.CommitChanges()
at LetsEncrypt.ACME.Simple.IISPlugin.Install(Target target, String pfxFilenam
e, X509Store store, X509Certificate2 certificate) in C:\Users\Bryan\Documents\le
tsencrypt-win-simple\letsencrypt-win-simple\Plugin\IISPlugin.cs:line 116
at LetsEncrypt.ACME.Simple.Program.Auto(Target binding) in C:\Users\Bryan\Doc
uments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 259
at LetsEncrypt.ACME.Simple.Program.Main(String[] args) in C:\Users\Bryan\Docu
ments\letsencrypt-win-simple\letsencrypt-win-simple\Program.cs:line 180

It looks like the cert was created and added to IIS, the site is encrypted working fine after recreating the binding. The task scheduler routine did not run though. Not sure what is up with the c:\users\bryan, doesn't exist.

I'm not going to be able to contribute much to this project for the next few months.

Would anyone like to step in and help manage the client?

Hello, I read all issues, but still don't understand why this problem appears.
I use IIS 8.5 on Windows Server12 R2. In IIS 8.5 create site with host www.hellohttps.com, but when letsencrypt-win-simple validate key:
The ACME server was probably unable to reach http://www.hellohttps.com/.well-known/acme-challenge/Key, but I can open it in browser.

I have suppose it appears because I don't use hosting, and appel directly ip-address, instead hostname and LE cant reach it. Or am I wrong?
FireWall turned off.
http://80.76.96.182/.well-known/acme-challenge/7IK-bb0WB3v0TjmlycxYqP25TKubKLp8YjVDjrpaoGc
Please answer if possible more detalized. I'm newbie in this.

I have the sites running on IIS binding to local port 80 and it is exposed as port 8001 (for security) to public through port forwarding at the router. Therefore, it can't be verified by LE server while running LE-win-simple.
Currently, I need to map the public port 80 to a given site for verification and certificate installation. Once done, I shut the port 80 down and reverse the original setting.
I would like to know if any way to change or config for domain verification? for each site obtaining LE certificate.
Btw, it will be great to allow non-443 port to be configure while certificate install on IIS. I need to set different port for different secure sites.

Finally, thank for this handy tool and it makes the whole process easy and efficient!

The client should request a certificate for all names that are associated with a site. For example I have the a site with the following bindings:
[ip] 443
domain 443
www.domain 443

Now the letsencrypt client should request one certificate for the names: domain and www.domain
This is what the "official" letsencrypt client is currently doing:
certbot/certbot#369

It looks like it must be supported first in the letsencrypt library you are using:
https://github.com/ebekker/letsencrypt-win/issues/13

Would it be possible to also request certificates for FTP sites in IIS?

If the acme folder is setting in a web site with authentication enabled and anonymous users disallowed, attempted to request the file will cause an authentication challenge or redirect.

The web.config should be expanded to include this section:

<system.web>
    <authorization>
      <allow users="*" />
    </authorization>
</system.web>

Just for your information:
https://www.virustotal.com/de/file/c85d9d52b12462ad9bcd059c2183c773b906b21037890b77af87c8d911d4e40e/analysis/

Maybe you want to find out why.

On Windows Server 2008 R2, when using letsencrypt.exe in an administrator console, I get:

...
Which host do you want to get a certificate for: 15

Authorizing Identifier www.mydomainhere.com Using Challenge Type http-01
Unexpected error
ACME Server Returned:

Reference #179.81474317.1448542572.bafba3d

Hello,

We have more than 1000 domains in our IIS in windows. when i open letsencrypt client, the cmd does not show all the hosts? what should i do to solve this problem? I changed the buffer size but did not help. Thanks

So, is there support for a single certificate to handle example.com and www.example.com?

LoneCoder has done a great job to call this client a simple client. But I am concerned that in the real world prototypes sometimes get adopted and extended to meet real world needs.

.NET is a wonderful dev env in the sense that it supports several languages and has many features. It makes development quicker and easier. It is also standard on all modern Windows computer systems.

However, if the use of HTTPS is to be made universal, and if one use case is for older computers to be converted into internet servers for various purposes, then we have a potential problem: most older Windows systems don't have .NET installed, or if they do, it's frequently an either buggy or limited version of .NET. (They also may not use IIS or even Apache to serve webpages. LE should work even with tiny HTTPS servers such as Mongoose to help promote its universal use on old Windows systems. In this simple client, a plugin system factors out the server interface nicely.)

.NET is fine for a quickly-written and easily-extended demonstration client, a proof of concept, but I would urge that you make sure that your simple client isn't mistaken or used as the base for the final LE client software in the future. I would suggest that the delivered LE client for Windows should have as few dependencies as possible, for ease of installation and knowing how to respond to error messages. LE needs bulletproof software, because a variety of users of various degrees of knowledge and experience will be using it.

I recommend that someone start now to write a client that will not use .NET, Python, bash command language, or anything else having a library or interpreter that must be installed by the user. Users may not know how to install a dependency and may not know how to respond to an error or a version problem detected in a dependent library. That's part of what makes them universal LE users.

I realize that this makes the final client much harder to write, but LE is intended to be used by anyone running a website or an intranet or perhaps even a browser-based application, and that is an enormous and diverse audience. At some point, someone must take courage and eliminate run time dependencies, or LE may be in trouble, at least on Windows systems.

I have successfully created a Let's Encrypt SSL certificate

• The SSL certificate has been installed and appears in IIS under Server Certificates.
• A HTTPS binding was successfully associated with my site in IIS.
• The StaticFile handler mapping is being executed before the ExtensionLess URL Mapper.

When I visit my domain: https://subdomain1.mysite.com I am getting a site not found.

Further information:
I have three sites on this server:

• subdomain1.mysite.com (this one has the Let's Encrypt SSL applied)
• subdomain2.mysite.com
• www.mysite.com

If anyone has any suggestions please let me know.

Thanks

Version 1.7. I was able to pull a certificate, Windows 2012.
However, I noticed there is nothing in scheduled tasks.
I did check "show hidden tasks".

It threw an error when it went to install the cert. I had to manually select the cert in IIS. And when I checked, no task was created.

I tested on Win2012 server, and everything went perfectly until I said 'Y' to adding the binding automatically. Screenshot attached to show the error message. It's possible that I already had something in IIS for port 443 for the domain in question before starting, I'm not 100% sure.

Note 'Bryan' in some of the user paths in the screenshot - that is not anyone on my system.

The certificate (PFX) itself is listed as a valid certificate for the server. Probably due to the crash, when I try to manually finish the binding, after selecting the cert and clicking [ok] in IIS manager, I get this error: "Edit Site Binding: There was an error while performing this operation. Details: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)." Just FYI.

Overall, the program is much easier to use for me than 4 days ago.

One small suggestion: if you can add a manifest to letencrypt.exe to require elevated permission, it'll be even simpler to run - no need to explicitly run as admin.

This is the last request for today, I promise.

The first letsencrypt.exe wasn't successful. I noticed red-marked instructions how to view Handler Mappings ordered list and how to move StaticFile handler up before ExtensionlessUrlHandler.

This is how it was configured (by default I guess) on my server:

It's not safe to do this on the website level as this could impact other code running on the website. But there shouldn't be any problem reconfiguring this on ".well-known" folder or even deeper on ".well-known\acme-challenge" subfolder.

I changed Handler Mappings on ".well-known" folder and was able to receive the first LE certificate immediately.

Regards

Radek

If I visit the URL in the browser I simply get a 404 instead of the challenge file. The ServiceStack framework seems to be blocking certificate requests by capturing the request before the StaticFileHandler can. Would it be possible to override priority for the .wellknown directory and directories below? I suspect that the scheduled task won't run except if I place the StaticFileHandler above ServiceStack.Factory (and I'd prefer not to do this manually or for the root of the Web Site every time I need to renew).

Hi,

With the current version I'm still not able to add a certificate to a MVC site. Moving the handlers is no solution as the site itself would not work anymore.

The exception I get is the following:

HTTP Error 404.17 - Not Found
The requested content appears to be script and will not be served by the static file handler.

Configuration background: For each domain I host there are four primary bindings. These four bindings allow the website owner to then easily choose between www and non-www with a URL rewrite.

• domain.tld :80
• domain.tld :443
• www.domain.tld :80
• www.domain.tld :443

However the binding update in this program is greedy with how it updates the certificates to be used.

Say you run the letsencrypt and select domain.tld - it does its thing and comes back with the certificate which it then adds to both the domain.tld and www.domain.tld bindings.

You then run the letsencrypt the second time for www.domain.tld - it does its thing and comes back with the certificate which it then adds to the domain.tld and www.domain.tld bindings.

You end up with one working and one not. This is only an issue because currently the client only supports a 1-to-1 mapping certificate to domain. If the certificate generated supported both domain.tld and www.domain.tld you would be able to have a single certificate for both bindings and all would be fine.

However this brings into question that the program would be forcing the configuration of the web server and there may be a need to maintain separate certificates for both domain.tld and www.domain.tld. So in any case I beleiev that this is a bug that needs to be fixed.

When manually generating a certificate, it would be useful to be able to FTP the challenge file to the host. Could be useful for people who may not have direct access to the host (like people who use a web hosting service).

At a glance the current BeforeAuthorize implementation would need to be altered if it were to be used in ManualPlugin.cs to perform this functionality.

Thoughts?