, ,

Automating Free SSL Encryption with Let’s Encrypt and the ACME Protocol

by

Warren Sherwen

SSL encryption doesn’t have to be expensive, time-consuming, or both! In fact, it can be completely free and automated with tools like Let’s Encrypt or Google Trust Services.

There are straightforward tools for both Windows and Linux that use the ACME Protocol (Automatic Certificate Management Environment). Basically, they work by verifying domain ownership through either HTTP or DNS verification before issuing a certificate. That’s the simplified version, but if you’re curious, you can dive deeper into the process at RFC 8555 – Automatic Certificate Management Environment (ACME).

The simplest option for any verification is to use HTTP validation where possible. However, this does require port 80 to be open, so the created HTTP file can be read before issuing the certificate. It raises an interesting question: what came first—the SSL certificate or the verification file?

Alternatively, you can use DNS verification, and the two tools I’ll be highlighting further down support this. I highly recommend Cloudflare for DNS management—it offers the best support for DNS verification with these tools.

The first useful tool is win-acme, for Windows! This lightweight client is perfect for automating with IIS, Exchange, and RDS. Right out of the box, it works seamlessly with IIS.

I recommend downloading and unpacking the tool to your C drive—C:\winacme. From there, just run the wacs.exe program as Administrator, and you’ll be prompted with a window like this:

From here, simply follow the prompts. You’ll be asked which sites/bindings you’d like to secure, and towards the end, it will prompt you for the renewal cycle. Sticking with the default options for IIS is the key to success, as they’ll be highlighted in green.

The next beneficial options are for RDS and Exchange. Instead of rewriting the steps, you can find the instructions here:

https://www.win-acme.com/manual/advanced-use/examples/exchange

https://www.win-acme.com/manual/advanced-use/examples/rds

For Linux or macOS, I recommend using CertBot. It works perfectly with most applications, especially Apache and NGINX. You can find the instructions for setting up the required automation at Certbot Instructions | Certbot.

Both these tools use Lets Encrypt by standard, however they can be adapted to work with Google’s Trust Services.

As long as you have HTTP/Port 80 listening, HTTP verification will work really well for above tools!

Leave a Reply

Categories

Tags

active App azuread Branding cyber essenitals Device Configuration Device Management Dishy DKIM DMARC DNS emailing entraid Exchange Exchange-Online Framework hard Hybrid Internet Intune Management matching Microsoft 365 notice notification Omada Package Packaging PowerShell Route Scripts Security Spoofing Spotify SSL Starlink Static Tooling Tools user

Discover more from The Daily Waffle

Subscribe now to keep reading and get access to the full archive.

Continue reading