Let’s Encrypt offers free SSL certificates to protect the traffic between your website and your visitors. Earlier this year I wrote about the hoops you need to jump through to use those certificates on Azure. This post shows you a way to use Let’s Encrypt certificates on your on-premises servers.
The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.
There are many ACME clients for Linux and a handful for Windows. We looked at the available clients and settled for win-acme. Our main reason was that it is actively developed, offers a command line interface for automation and supports Serilog (and Seq).
All you need to do is to download the newest release, copy it to your web server, unzip it and run it. If you do not specify any arguments, win-acme will show you a minimalistic user interface:
You can go through those options and create a certificate for a single domain or generate a Subject Alternative Name (SAN) certificate for all domains on this server. Every step offers a short but good explanation and has a sensible default value. It should be no problem to create exactly what you need.
The documentation looks good, but as soon as you try the unattended mode, you run into unclear advices and missing options. Therefore, you may be faster when you use the user interface instead of the command line.
The most important aspect of any ACME client is the automatic renewal of the certificate. win-acme creates a single scheduled task to renew all certificates on a server. As soon as you create the first certificate, this task does all the work to renew your certificate when they get too old – with enough remaining time that you can fix it manually should something go wrong.
To prevent you from creating certificates for domains you do not own, Let’s Encrypt demands proof that you control the domain. In win-acme you can use various ways to deliver this proof. The simplest way is to use the HTTP validation over port 80. If this is not possible, you can use DNS validation. I had no need to try it, but it should be possible to create a CAA record in your DNS server as another way to prove ownership.
Conclusion
If you want to use Let’s Encrypt, you need an automated and reliable way to renew your certificates. The little tool win-acme offers exactly that. It is flexible enough to support all your needs and easy enough so that you can understand what is going on. Try it!