Free Certificate for IIS with Let’s Encrypt

KB ID 0001736

Problem

I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, their certificates have a short (3 month) lifespan, and I see enough things breaking when people forget to renew 12 month certificates! This site went down a couple of years ago because the certificate expired while I was on holiday in Las Vegas, and is was a pain to get fixed!

I’ve got some work coming up that requires me to have a publicly signed certificate, so I thought I’d give it a whirl, it was incredibly easy and painless.

  • Server OS (Server 2019 Standard build 1809)
  • IIS Version 10.0.17763.1

Free Certificate Prerequisites

Obviously you need a Windows server, with the IIS role installed, and a website that you want to secure. It does not already need to have a certificate or have https configured, if you have or have not already done that it will all be reconfigured for you! In additional you need a publicly registered domain name, you’re on my website so you know I have one of those, and finally a DNS host record (A Record) that you will use to browse to the web server. The will be ‘stamped’ onto the certificate as the certificate common name (CN).

The website will need to be publicly accessible via TCP Port 443 (https) on the IP address you’ve set in public DNS.

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Extract the contents of that zip file to a folder on your hard drive.

Apply For & Install the Free Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Press ‘n‘ for create certificate.

I’ve only got one website, you may be hosting multiple sites, select the appropriate number.

I’m replacing every binding (you can have multiple bindings per site, but I’ve never seen that myself) > It then shows the bindings it finds > Select ‘A’ for all.

Yes to continue > No (unless you want the EULA to open in a web window for you to read) > Yes to agree to the terms (without reading them, shame on you!) > Enter a contact email address.

The software will go and get your certificate, install it, and bind it to your website. If it fails at this point it’s usually because the name for the certificate does not match your public DNS name, or the firewall is stopping your traffic.

Force IIS to Use Let’s Encrypt Free Certificate

To force client to use HTTPS and not HTTP, you will need to tick the option below (Require SSL);

If you take a look at your certificate you will see it’s got a three month lifespan, BUT, you dont have to worry about renewing it because…

Let’s Encrypt Free Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like entering the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt IIS Free Certificate & Settings

  1. Remove the certificate from IIS.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA

The Web Site for the CA Must be Configured to use HTTPS

KB ID 0000838 

Problem

When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.

In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication

Solution

The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.

Make Internet Explorer Accept Your Certification Authority

Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.

1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.

 

2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.

3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.

4. Restart the browser and try again.

Set IIS to serve Certificate Services Securely (via https).

This assumes you have your CA and the web portal installed correctly.

1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.

Note: If https is missing simply add it!

2. Expand Default Web Site > Certsrv > SSL Settings.

 

3. Tick ‘Require SSL’ > Apply.

4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.

Related Articles, References, Credits, or External Links

NA

Load Balance IIS with Microsoft ARR

KB ID 0001573

Problem

If you have a lot of IIS servers, and want to load balance between them, then you can either buy a load balancer, or use Microsoft ARR (Application Request Routing). Note: ARR does a lot more than simply load balancing, e.g. it can perform caching, and complex web routing, and even SSL offloading. Here we are just looking at load balancing.

I’m going to deploy TWO ARR servers in my DMZ, here I’ve got two ‘back-end’ IIS web servers, (you may have many more.)

WHY ARR?: Rather than use WAP (Web Application Proxy,) or a connection broker, ARR is application aware, i.e. it WONT attempt to serve pages from a broken IIS server, e.g. if the host server is online, but the site to IIS is broken for instance.

WHY TWO?: Well we are talking about balancing and availability, I’m deploying two so the event one fails, the other one will still be online, you can have these running on different hypervisors, or even in different datacenters, for added resiliency.

Deploy Network Load Balancing (NLB)

Our first task is to deploy NLB this will create a ‘Virtual IP’ for both of the ARR servers to use.

NLB is a ‘Feature‘ to enable it, launch Server Manager > Manage > Add Roles and Features > Next > Next > Next > Next > Tick ‘Network Load Balancer‘ > Next > Next > Finish.

Launch ‘Network Load Balancing Manager’.

New Cluster.

Add in the first host > Connect > Next.

Check the IP > Next.

Add a ‘Cluster IP’, (this is the IP that you will connect to for services), and is the ‘Shared’ IP > OK > Next.

Next.

Next.

Repeat the procedure to add the additional IP(s).

You will need to make the NLB IP is ‘Publicly Available,’ and open HTTP/HTTPS as required. Also the ARR hosts will need HTTP/HTTPS (as required) open to the internal IIS servers. I usually test all that at this point.

Deploy ARR and ‘URLRewrite’ for Load Balancing

ARR and URL rewrite are both IIS components, but you don’t need to install IIS yourself. You can if you wish, and then install URL Rewrite THEN ARR (In that order!) But it’s much simpler to download and use the ‘IIS Web Platform Installer‘.

Launch the Web Platform Installer, and do a search for URL > Select URL Rewrite > Add > Repeat the process, searching for ARR, and add Application Request Routing version 3, (Not the 2.5 version at the top!) > Next > Follow the wizard and complete the install.

Launch IIS Manager > Now you will see you have a new option ‘Server Farm‘ > Create Server Farm.

Give your server farm a name > Next > Add in all the ‘Back-end’ IIS servers > Finish.

You will get a pop-up asking if you want to create a URL rewrite rule. In this case we want a simple rewrite rule as we are doing plain old load balancing and we have no special requirements, so Select YES. (Only click No if you have specific rewrite requirements and you want to set them up manually).

Now test externally. WARNING don’t expect the page to ‘flip over’ every time, remember ARR is caching these web requests, and your browser will also be performing web page cashing, use a couple of browsers and wait a minute or two between refreshes to make sure that all the web servers are being used!.

Related Articles, References, Credits, or External Links

NA

Deploying a ‘Nano’ Webserver (IIS)

KB ID 0001526

Problem

We’ve had Server Core for a while now, and I’ve never really seen it deployed in anger. Now we have Nano Server. You don’t install this like normal Windows Server distributions, i.e. it’s not an option when you run the install DVD. Originally you have to create the image with Powershell, but now you can use ‘Nano Server Image Builder‘.

Nano Server is a tiny distribution, and you simply add modules to it, or remove them as required. The thinking is, it’s a smaller attack platform, it’s simpler to patch, and can be managed remotely. If only Linus Torvalds had thought of this years ago? 🙂 

I needed a lightweight web server recently, so I thought I’d have a play with setting up a Nano server, and running IIS.

Solution

Download and install Nano Server Image Builder, (accept all the defaults). When you attempt to run it for the first time it will tell you, that it requires the Windows Assessment and Deployment Kit (ADK), which it will download and install for you, let it do so.

You only need;

  • Deployment tools
  • Windows Preinstallation Environment (Windows PE)

Have a copy of the Windows Server DVD Mounted, (Note: Here I’ve got Server 2016 Datacenter mounted).

Run the image builder > Create a new Nano Server Image > Next > Select the mounted Windows media drive > Next.

Accept the EULA > I’m exporting a VM image > Select the output directory > Choose a size for the virtual hard drive > You can specify another folder for the conversion files, if you are tight for space, I just used the same directory > Next > Next.

Add in the server ‘roles’ required, I only want Web Server (IIS) > Next > Add any additional drivers you want (If you are deploying on VMware add the VMware Tools drivers, see link at bottom of page)   > Next > Set the hostname, password and time zone of the Nano server > Next.

(Optionally) Join a domain > Next > Enter the networking details > Next > Create a basic Nano Server Image.

Next > (Oooh look, there’s the PowerShell! Might be worth copying that out for next time!) > Close.

Now you can import the virtual machine onto your favourite Hyper-Visor, (it’s obviously in Microsoft .VHD format), so you will need to convert it for VMware or open stack or whatever. I just uploaded a simple web page to the inetpub\wwwroot directory to test;

Related Articles, References, Credits, or External Links

Manually Extracting VMware Tools Drivers

Exchange – OWA and ECP Blank Page After Logon

ECP Blank Page KB ID 0001185

Problem

Note: This article is for Exchange 2013,2016 and 2019, if you are running Exchange 2010 or 2007 see the following article;

Exchange 2010 – Blank OWA Page?

Sometimes this happens after applying updates to Exchange! Firstly make sure all your services a running! From an administrative Powershell window run the following command;

[box]

Get-Service *Exchange* | Start-Service

[/box]

After making some certificate changes in Exchange 2016 this week, I found that the Outlook Web Access and Exchange Management websites would not work? I was presented with the normal login dialog, but after a successful authentication this happened.

ECP Blank Page: Solution

This happens because the website that runs the ‘Exchange Backend’ has lost the certificate for its https binding.

Open the Internet Information Services Management snap-in > Server-name > Sites  > Exchange Back End > Edit Bindings > https (444) > Edit > Select the correct certificate for Exchange.

Then restart the site, or run ‘iisreset’, or simply reboot the server.

Related Articles, References, Credits, or External Links

NA

IIS: Move WWWRoot Folder

KB ID 0001487

Problem

I migrated an IIS website I use for hosting files this week, and realised I’d forgotten how to relocate the wwwroot directory from it’s default install location on C:\inetpub\wwwroot.

Solution

Firstly, I’m assuming you have instilled the IIS role and you already have a wwwroot folder on your C: Drive, (in the above location). If so you can simply copy this folder to your new partition/drive (in my case the E: drive).

Open IIS Manager, Drill down to the Default Web Site > Manage Website > Advanced Settings > Physical Path > Change accordingly > OK.

You can now Stop and Restart the website from within IIS Manager, or run ‘iisreset‘ from command line.

Related Articles, References, Credits, or External Links

NA

Microsoft IIS – Stop Getting Indexed By Search Engines

KB ID 0001352 

Problem

If you have a publicly facing website, and you DON’T want it indexed by the major search engines, then this is the post for you. Why would you want this? Well you  might have a development server that you don’t want appearing in peoples search results, or you might be hosting files and folders you want publicly available, but again you don’t want those files and folders showing in peoples Google/Bing search results.

Solution

From ‘Administrative Tools’ open ‘Internet Information Services (IIS) Manager’ > Select the Server > HTTP Response Headers.

Add  > Name = X-Robots-Tag > Value = noindex > OK.

Then from an administrative command window run ‘iisreset’.

Related Articles, References, Credits, or External Links

NA

URI Was Validated Successfully But there Was No Friendly Name Returned

KB ID 0001249 

Problem

When attempting to connect a host to a Certificate Enrolment Policy Server it worked but had the following complaint;

WARNING: The URI “https://{Host-Name}ADPolicyPRovice_CEP_{Method}/service.svc/CEP” was validated sucessfully but there was no friendly name returned by the remote machine.

 

Solution

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos, (yours may not end with kerberos) > Application Settings.

Locate the Friendly Name section > Enter a descriptive name for your CEP portal > OK.

Open an Administrative Command Window > Issue an IISRESET command.

 

Related Articles, References, Credits, or External Links

NA

Certificate Enrolment – URI This ID conflicts with an Existing ID

KB ID 0001248

Problem

When attempting to connect a host to a Certificate Enrolment Policy Server I got this error;

The URI Entered above had ID : “{Random-GUID}”. This ID conflict with an existing ID

Solution

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos, (yours may not end with kerberos) > Application Settings.

Open the ID field, and add a character to the end of it > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Related Articles, References, Credits, or External Links

NA

IIS – Cannot Download File From Website (With Extension .xyz)

KB ID 0001223 

Problem

I first saw this problem a few months ago, when I wasted to download some .bin and .pkg files from a web server running IIS, into a Cisco firewall. Then again this week I needed to get a large .iso file into a clients network so I put it on a publicly accessible web server running IIS, and had the problem again.

 

Solution

On the IIS server, open administrative tools > Internet Information Services (IIS) Manager > Drill down to the default website > Locate the ‘MIME Types‘ and open them.

You will probably find there is not one for the file extension you cannot download (in this case .iso) > Add one in > Set the MIME type to;

application/octet-stream

 

Then re-try your download.

Related Articles, References, Credits, or External Links

NA