Add cert to a default (*:443) binding?

[gordonfpanam]

Server 2012 R2's IIS Manager complains when letsencrypt-win-simple creates certificates and bindings that match existing HTTP bindings: "No Default SSL site has been created. To support browsers without SNI capabilities, it is recommended to create a default SSL site."

I'm investigating how to script the creation or modification of a default HTTPS binding (*:443), and I'd run that script as part of the scheduled task letsencrypt-win-simple creates to auto-renew a certificate. Scripting it should be doable in PowerShell and might be as simple as copying an existing binding to a default binding.

Is this something that makes sense to add to this client? Say when one uses the --san option to make one cert for multiple bindings?

(Hm, this might be a duplicate to issue #330 and the solution might be there.)

[gordonfpanam]

So this might be one way to do it, though it would require the use of a centralized SSL store even if it's on the local computer. letsencrypt-win-simple supports a centralized store so that's fine.

Step one would be to prepare a regular cert or a SAN cert using the help in How to Run. Step two would be to import one of the resulting certs from the central store to the local machine's Personal or WebHosting cert store. Step three would be to create a new web binding while writing the output of Import-PfxCertificate to a variable, and then use that to create a default SSL binding.

So assuming you can run letsencrypt-win-simple.exe within a PowerShell script, a renewal script could look like this:

c:\letsencrypt-win-simple\letsencrypt.exe --renew --test
import-module webadministration
$webservercert = import-pfxcertificate -filepath [centralstore\somecert.pfx] Cert:\localmachine\webhosting
new-webbinding -name * -ipaddress * -port 443 -protocol "https"
cd IIS:\SslBindings
del 0.0.0.0:443
$webservercert | new-item 0.0.0.0!443

I was stuck originally trying to read the thumbprint of an already-installed cert. Maybe I could fill $webservercert from a local machine cert... still fighting my way through PowerShell too much to be fancy about it.

[WouterTinus]

Ping to #398, I think we could and maybe should make an installer plugin for the default IIS binding, but maybe also to specific IP addresses as requested in #217.

[WouterTinus]

v1.9.7 will support updating bindings created with the generated certificate outside of the target site.

[WouterTinus]

From #612 the workaround with v1.9.7.

• Create a separate website with port 80 binding(s) for the domain(s) your OWA is accessible from.
• Optional: redirect the root of the separate site to https:// for your users
• Use LEWS to generate a certificate for the separate site
• Delete the generated https binding(s) from the separate site (as they take priority over your default site)
• Link the generated certificate to the https bindings of your default site

v1.9.8 should offer a better solution

[WouterTinus]

It's possible now with v1.9.8 to install a manual hostname to the default IIS site.