New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cert to a default (*:443) binding? #349
Comments
So this might be one way to do it, though it would require the use of a centralized SSL store even if it's on the local computer. letsencrypt-win-simple supports a centralized store so that's fine. Step one would be to prepare a regular cert or a SAN cert using the help in How to Run. Step two would be to import one of the resulting certs from the central store to the local machine's Personal or WebHosting cert store. Step three would be to create a new web binding while writing the output of Import-PfxCertificate to a variable, and then use that to create a default SSL binding. So assuming you can run letsencrypt-win-simple.exe within a PowerShell script, a renewal script could look like this:
I was stuck originally trying to read the thumbprint of an already-installed cert. Maybe I could fill $webservercert from a local machine cert... still fighting my way through PowerShell too much to be fancy about it. |
v1.9.7 will support updating bindings created with the generated certificate outside of the target site. |
From #612 the workaround with v1.9.7.
v1.9.8 should offer a better solution |
It's possible now with v1.9.8 to install a manual hostname to the default IIS site. |
Server 2012 R2's IIS Manager complains when letsencrypt-win-simple creates certificates and bindings that match existing HTTP bindings: "No Default SSL site has been created. To support browsers without SNI capabilities, it is recommended to create a default SSL site."
I'm investigating how to script the creation or modification of a default HTTPS binding (*:443), and I'd run that script as part of the scheduled task letsencrypt-win-simple creates to auto-renew a certificate. Scripting it should be doable in PowerShell and might be as simple as copying an existing binding to a default binding.
Is this something that makes sense to add to this client? Say when one uses the --san option to make one cert for multiple bindings?
(Hm, this might be a duplicate to issue #330 and the solution might be there.)
The text was updated successfully, but these errors were encountered: