Free SSL Certificate with Let’s Encrypt

A FREE SSL Certificate from Let’s Encrypt solves one of the common challenges with testing out MyworkDrive

A common question that comes up when clients trial or deploy a proof of concept with MyWorkDrive is whether they need to use HTTPS and bind an SSL/TLS certificate.

We emphatically say yes, for a few reasons

1) You’re probably trialing with a subset of real data. Even if you’re not, there’s a chance an employee may test with real data out of scope and put that data at risk.

2) You’re going to want to test firewall and security rules as part of your test.

3) You’re going to want a realistic performance test, and https traffic is, typically, a little slower due to the security.

Another argument in the favor of using HTTPS and an SSL/TLS certificate is that the MyWorkDrive clients don’t accept Self Signed certificates, so you’re going to want to apply an SSL/TLS certificate to your MyWorkDrive server if you want to test our Map Drive and Mobile clients.

The the question, of course, where to get a certificate? Some organization will have a wildcard cert, but, getting permission to it may be a challenge. More commonly, we’ll hear that the certificate is only good on the webserver, or that getting permission to spend even the $20 a discount SSL certificate costs is a challenge.

Some organizations aren’t even aware of discount SSL providers (and then you do a web search and discover there are thousands, how do you choose a good one and avoid getting your credit card hacked in the process?)

 

 

The good news is, you can get a valid FREE SSL certificate FOR FREE for no more work than generating a CSR in IIS from Let’s Encrypt, with zero risk of a comprimised credit card and avoiding all the approval challenge in getting a certificate for your poc/trial.

Let’s Encrypt isn’t a scam. Its a non-profit with backer’s you’ve likely heard of – EFF, Cisco, Facebook, Google, Stanford University, University of Michigan and Mozilla.

Let’s Encrypt is pretty simple to execute, but most of the tutorials and literature you’ll find out there refer to implementations in Linux or other open source hosting platforms. There aren’t a lot of tutorials written for Microsoft IIS, but Windows clients do exist and we’ll walk you through using one of the easier to use examples.

SSL Certificate Setup on IIS with Let’s Encrypt

You’ll start with a DNS Entry mapped to an IP (Cname, A Record) and Port 80 and 443 mapped/open and bound to the WanPath.Webclient website on your MyWorkDrive server.

You run a small app (called an Acme client) on your server which does a challenge-response to validate your server, then downloads and even binds the certificate for you.

That’s it!

If there’s any negative, its that the certificates are only valid for 90 days before you have to renew them. But, renewal is as simple as running the client again (and many clients will automatically schedule renewals in Windows Scheduler!).

Oh, and most of the clients run in dos – but they’re fairly straight forward – no complicated paths or case-sensitive strings to type.

Lets walk through a real life example.

  • We’re going to secure the MyWorkDrive server for myworkfolders.net.
  • We’ve installed MyWorkDrive on a server on our domain.
  • We’ve opened Port 80 and Port 443 inbound to our server.
  • We’ve added a DNS entry for fileshare1.myworkfolders.net to DNS, pointed at our new server.

From here, the following steps are completed on the server hosting MyWorkDrive.

We’ll start by editing the bindings in IIS on the MyWorkDrive server to map the port 80 on the WanPath.WebClient site to fileshare1.myworkfolders.net.  At this point, you should be able to access the MyWorkDrive server at http://fileshare1.myworkfolders.net, if you have not marked “require SSL” in settings.

 

We’re going to use the Win-Acme client from PKI Sharp as our client on Windows to access LetsEncrypt. Its available for download as a .zip from https://pkisharp.github.io/win-acme/ There are many other clients available and you may find one you like better. This one just happens to be one we’ve used reliably over the past few years.

We’re going to download version 2.1.0 64-bit pluggable, which is marked Recommended.  You should take the most current version available at the time you download.

 

Once its downloaded, extract it and store it in your favorite location for apps. Remember, you may need this again to renew the certificate in 90 days, so do not discard it. We created a new folder c:\Win-Acme

Launch a command prompt as Administrator and browse to the folder you saved Win-Acme in. Run wacs.exe. It will launch a dos window with a list of questions.

Select N: Create new certificate (simple for IIS)

 

It will prompt you to ask you want to bind.
Select 1: Single binding of an IIS website

You’ll get a list of the websites on your server (which should only be a single SiteId since we only set port 80 on one website). Choose the option with the domain name, in our case 2: fileshare1.myworkfolders.net (SiteId 4)

 

When prompted, enter your email.  The Win-acme client will send you reminder emails to renew your site.

 

TOS – we have experienced trouble getting these to open in the default application as offered. When we said yes the program crashed. Review the terms at the URL printed on screen, and if you have trouble opening them with the default application like we did, go ahead and say NO to the prompt to open them.  If you do say yes and the program crashes, just run it again repeating the same steps until you get to this screen, where you should say No to continue.

 

Agree to the terms when prompted, assuming you’ve reviewed them and they are acceptable.

Win-Acme will then run through the authorization and explain what it has done. In our case, it added new https binding for port 443 as we expected, and then it scheduled a renewal in the scheduler.

Go ahead and select Q to quit, and lets take a look in IIS to verify it added the binding.

Open IIS, open the WanPath.WebClient site and click on Bindings. You should see that an HTTPS entry has been added for your site – in our case fileshare1.myworkfolders.net

 

If you edit the binding, you can use the view option to have a look at the certificate and see the details.

Lets jump on a website on our desktop and see if our site is now available via HTTPS

Looks good. No errors about the certificate, Chrome is showing a lock symbol. You can click into the lock symbol and double check the details.

And thats it! It took longer to read this blog posting than it would to secure your site.

Lets Recap – Let’s Encrypt SSL Certificate Setup steps

Install MyWorkDrive
Set DNS
Open/Map Firewall Ports
Bind your DNS name in IIS
Download Win-Acme
Run Win-Acme
Answer 6 questions
You’re all set! Your Free SSL Certificate is added and bound automatically.

 

Not using MyWorkDrive, but want to use Lets Encrypt and Win-Acme to secure other IIS hosted sites with a Free SSL Certificate? Just follow these directions except at the step where you’re choosing MyWorkDrive, choose the site you want to secure.

Note that at this point you can remove or block the binding for port 80 and just leave port 443 open inbound, however, the Lets Encrypt Win-Acme Free SSL certificate renewal will fail without port 80 being open/mapped. You may want to make a calender event reminder to manually process the renewal in 85 days or so and re-open port 80 temporarily if you are keeping it closed.

Or, just leave Port 80 open and set the “require SSL” option in MyWorkDrive settings.

 

Using a Free SSL Certificate from Let’s Encrypt on IIS?  Drop us a note on Social and let us know how its going for you!