Network Guys

Share your knowledge!

Free SSL certificate from Let’s Encrypt!

 

I’m using an Intel Compute Stick with an USB 3.0 harddisk as my “Home-Server”. The stick has Windows 10 pre-installed:

I installed Serviio for streaming to my Samsung TV and I also installed XAMPP to run my ownCloud (8.0.x). In the past I used a self-signed certificate for HTTPS but I want a free and all-trusted SSL certificate. Let’s Encrypt can offer you this for free!

The enrollment is very easy and I want to show you how I did it. The Windows XAMPP software runs an Apache webserver. There’s an windows tool that can request a ready-to-use certificate. You can download this tool here: letsenrypt-win-simple

In our example we are using “castle.myhomeaddress.com“. Your webserver also needs to be accessible with http (tcp 80), so you need to forward this port to you internal webserver. Let’s Encrypt will check if your requested domain-certificate is coming from a real-running webserver to prevent abuse! If your webserver isn’t reachable, you will get this error code:

Authorization Result: invalid

******************************************************************************
The ACME server was probably unable to reach http://castle.myhomeaddress.com/.well-known/acme-challenge/G4MU0y0xrBdEX4vQotqBNW6q_mW6sqAkrIE1rT5auR8

Check in a browser to see if the answer file is being served correctly.

******************************************************************************

Extract the archive to your harddisk and open a command prompt with administrative rights. Now go to your folder (for example C:\letsencrypt) and run the exe file like this:

letsencrypt.exe --manualhost castle.myhomeaddress.com --webroot C:\xampp\htdocs

 

A correct procedure will look like this:

Let's Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-staging.api.letsencrypt.org/
Config Folder: C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org
Certificate Folder: C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org
Loading Signer from C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\Registration
Authorizing Identifier castle.myhomeaddress.com Using Challenge Type http-01
Writing challenge answer to C:\xampp\htdocs\.well-known/acme-challenge/KYhSTwaDTg_c1GFyMLDJFc5WPkTsdsfwef9Ncc8cAIs1LeTE
Answer should now be browsable at http://castle.myhomeaddress.com/.well-known/acme-challenge/KYhSTwaDTg_c1GFywefbvDJFc5WPertfofvf9Ncc8cAIs1LeTE
Submitting answer
Refreshing authorization
Authorization Result: valid

Requesting Certificate
Request Status: Created
Saving Certificate to C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\castle.myhomeaddress.com-crt.der
Saving Issuer Certificate to C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\ca-008BE12wrwerfwe944ED3C546431F097614FE5-crt.pem
Saving Certificate to C:\Users\YourMama\AppData\Roaming\letsencrypt-win-simple\httpsacme-staging.api.letsencrypt.org\castle.myhomeaddress.com-all.pfx

Do you want to install the .pfx into the Certificate Store/ Central SSL Store? (Y/N) y
Opened Certificate Store "My"
Adding Certificate to Store
Closing Certificate Store
Do you want to add/update the certificate to your server software? (Y/N) y
WARNING: Unable to configure server software.
Opened Certificate Store "My"
Closing Certificate Store

Do you want to automatically renew this certificate in 60 days? This will add a task scheduler task. (Y/N)
Creating Task letsencrypt-win-simple httpsacme-staging.api.letsencrypt.org with Windows Task Scheduler at 9am every day.

Do you want to specify the user the task will run as? (Y/N) n
Renewal Scheduled Manual castle.myhomeaddress.com (C:\xampp\htdocs) Renew After 17.02.2017

 

The wizard copied the files into your local cert container and also in a sub-folder under your personal roaming folder. The wizard also created a daily-recurring task that can be found under “administrative tools / tasks”:

The two tasks are starting the following commands:

letsencrypt.exe --renew --baseuri "https://acme-staging.api.letsencrypt.org/"
letsencrypt.exe --renew --baseuri "https://acme-v01.api.letsencrypt.org/"

 

You can create this task by your own or implement it in other task-jobs or in a crontab on linux-systems. The certificate validity is only 90 days long but this task job will re-request the new certificate automatically. Our website is now secured with a valid and trusted SHA2 certificate:

Now we need to stop the Apache service within the XAMPP service console and open the httpd-ssl.conf:

Go to “<VirtualHost _default_:443>” and place an hashtag (#) before SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile to ignore them. Place new entries like this:

# Let's Encrypt

ServerAdmin webmaster@myhomeaddress.com
ServerName castle.myhomeaddress.com

RewriteEngine On
# Redirect to the correct domain name
RewriteCond %{HTTP_HOST} !^castle.myhomeaddress.com$ [NC]
RewriteRule ^/?(.*)$ https://castle.myhomeaddress.com/$1 [NE,L,R=301]

Alias /.well-known C:/xampp/htdocs/.well-known

SSLEngine on
SSLCertificateFile "C:/Users/YourMama/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/castle.myhomeaddress.com-crt.pem"
SSLCertificateKeyFile "C:/Users/YourMama/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/castle.myhomeaddress.com-key.pem"
SSLCertificateChainFile "C:/Users/YourMama/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-<ID>-crt.pem"

 

Change the paths to your correct location. Start the Apache service again and check if your server is reachable via https.

Don’t hestitate to ask for help if you have any further questions! Have a nice day!

6 Responses

  1. Hi Michel, I am very thankful I found your tutorial as there is nothing else I have found specifically for xampp and lets encrypt. However I am not so successful as yourself. When I type in the commands as you describe I get a list of options instead of how you described…it reads as follows:

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\Studio>cd c:\letsencrypt

    c:\letsencrypt>letsencrypt.exe manualhost pxxxxo.xxx webroot C:\xampp\htdocs4

    [INFO] Let’s Encrypt Windows Simple (LEWS)
    [INFO] Software version 198.4.6605.15190 (RELEASE)
    [INFO] IIS not detected
    [INFO] ACME Server https://acme-v01.api.letsencrypt.org/
    [INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-si
    mple

    M: Create new certificate with advanced options
    L: List scheduled renewals
    R: Renew scheduled
    S: Renew specific
    A: Renew *all*
    V: Revoke certificate
    C: Cancel scheduled renewal
    X: Cancel *all* scheduled renewals
    Q: Quit

    Please choose from the menu: m

    [INFO] Running in Advanced mode

    1: Single binding of an IIS site
    2: SAN certificate for all bindings of an IIS site
    3: SAN certificate for all bindings of multiple IIS sites
    4: Manually input host names
    C: Cancel

    Which kind of certificate would you like to create?:

    this is where I get stuck… I do not have IIS so not sure how to proceed. But since this looks so different from what you described I thought you might have some suggestions.

    Thanks

    1. I think you can choose the first one because he will export the files to your apache server. There you need to configure your apache configuration to use this certificate.

  2. Hi Michel,
    Thank you for the tutorial.
    It also failed for me at first. Seems we should have double dash instead of simple ones for parameters. Also, we might need to specify a folder if our website is not at the root, but in a folder of HTDOCS:

    Currently:
    letsencrypt.exe –manualhost castle.myhomeaddress.com –webroot C:\xampp\htdocs

    Might be:
    letsencrypt.exe –-manualhost castle.myhomeaddress.com –-webroot C:\xampp\htdocs

    1. Hi Romain,

      I corrected the statements into “code” snippets in this blog. There was a problem with double minus symbols. Thanks!

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives