Installing SSL for Custom Domains in IIS using LetsEncryptRSS

4 replies

Last post Sep 24, 2019 02:16 PM by danimalik54

  • Installing SSL for Custom Domains in IIS using LetsEncrypt

    Sep 20, 2019 04:32 PM|Dayclone|LINK

    My web server is (include version): IIS 8.5


    The operating system my web server runs on is (include version): Windows Server 2012 RS Standard

    We have integrated LetsEncrypt on our platform and want to install those certificates on our client’s custom domains.
    We have a cloud application hosted on Windows Server i-e IIS
    We have installed and tested the certificate on IIS and its working when we bind a subdomain, so that mean certificates are working fine, problem we are facing is that our system support custom domains from clients so when they add their custom domain using CName forwarding from their DNS, we also want to apply SSL on them, which are surly not hard binded on our IIS server,

    Now how to configure IIS server to accept them and apply SSL certificate on them

    Scenario:
    The issue we are facing is that clients would setup domains in an A record or CNAME like app.customerdomain.com pointed to a domain on thats on our server like custom.domain.com. We generate a certificate but where do we bind it because the certificate generated is for their domain which isn't binded on our system because they have their CNAME/A Record pointed to our custom.domain.com to handle all the requests.

    If we were to physically bind the domain on the server and apply the certificate then yes we are able to obtain SSL.

  • Re: Installing SSL for Custom Domains in IIS using LetsEncrypt

    Sep 21, 2019 01:15 AM|lextm|LINK

    DNS can only forward the packets to your IIS server, with the host header of app.customerdomain.com.

    So if your IIS server must handle those packets, it must have a valid site binding with either app.customerdomain.com as host name or empty host name to catch all. More info can be found in

    https://docs.jexusmanager.com/tutorials/binding-diagnostics.html#background

    If your server only has a binding for custom.domain.com, then all packets will be dropped.

    Can you modify your server with a valid binding? If not, ask your clients to set up their reverse proxy (not merely DNS) to forward packets, as reverse proxies are capable of not only passing on packets, but also modify their host headers.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Installing SSL for Custom Domains in IIS using LetsEncrypt

    Sep 23, 2019 08:36 AM|danimalik54|LINK

    @lextm

    For Simple plane question "Does IIS support mechanism of handling multiple domains with just one actual binding like custom.domain.com"

    all other custom subdomains are served using this custom.domain.com binding.

    So how we apply SSL on one subdomain if client choose to apply and not for other

    like abc.domain2.com is also forwarded to custom.domain.com

    and

    xyz.domain3.com is also forwarded to custom.domain.com

    so technically we only have one binding of custom.domain.com on our website.

    and we want to apply SSL on abc.domain2.com and not on xyz.domain3.com based on users choice.

  • Re: Installing SSL for Custom Domains in IIS using LetsEncrypt

    Sep 23, 2019 09:52 AM|Yuk Ding|LINK

    Hi,

     If you only have one site in your IIS and you want the website accept request from other custom domain. Then you could create a http binding with all unassigned IP and null hostname.

    However, it is  impossible to apply SSL over https without adding binding host header in IIS. When we need to enable ssl certificate for IIS, we need to specify certificate hash for certain domain and port number on server side so that IIS would know what private key should be return.  If IIS support specify SSL from client side, then SSL certificate would never be safe any more.

    Best Regards,

    Jokies Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Installing SSL for Custom Domains in IIS using LetsEncrypt

    Sep 24, 2019 02:16 PM|danimalik54|LINK

    Hey,
    I am switching the approach and now going to add the bindings, here is what the other i am facing.

    I have an Application hosted in IIS website "TestWebsite" and i am using Microsoft.Web.Administration for IIS Automation.

    I have to do following operations with bindings of the SAME website "TestWebsite" from "TestWebsite"

    1. Add HTTPS binding with SSL certificate to the website "TestWebsite" from same application (code to add binding will be in same "TestWebsite")
    2. Remove the Binding.

    I have done the following code and weird thing is that on localhost it is adding the https binding but even before manager.commitchange(). This line throw exception on local host, so i removed this line but on Windows Server its not adding the binding even after successfully running the code. (without commitchanges(),  i hv no idea how its working on localhost without it)

    using (ServerManager iisManager = new ServerManager())
    {
    	var website = iisManager.Sites.Where(x => x.Name == "TestWebsite").FirstOrDefault();
    	if (website != null)
    	{
    		var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
    		store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);
    		var pfxPath = Server.MapPath(model.PfxPath);
    		var certificate = new X509Certificate2(pfxPath, password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
    		store.Add(certificate);
    		store.Close();
    		var certHash = certificate.GetCertHash();
    
    		string bindingInformation = string.Format("{0}:{1}:{2}", "*", "443", model.UserCustom);
    		var binding = website.Bindings.Add(bindingInformation, certHash, store.Name);
    		binding.Protocol = "https";
    		store.Close();
    
    		website.ApplicationDefaults.EnabledProtocols = "http,https";
    		iisManager.CommitChanges();
    	}
    }
    

    I receive following errors.

    1- A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

    Is there some permission related error? What i am doing wrong in it?

    Your help will be appreciated

    Thank you  :)

    Danial Malik :)