Just a quick thank you for the Let's Encrypt install guide!
https://server-essentials.com/support/get-a-free-lets-encrypt-certificate-anywhere-and-automatically-renew-it
Went very smoothly and and screen shots really help to make things clear.
One tiny update: Certify the Web 4.1.5 apparently now makes auto-renewal the default, so the screens in section 4 look a bit different. Also, I wasn't clear on when the PowerShell script is run until I installed Remote Desktop Gateway Manager to confirm that the Let's Encrypt cert was already applied to the gateway. Apparently that PowerShell script auto-runs on future renewals?
Also, BTW, this site's engine is pretty awesome: the expanding instruction sections, nice forum software, ...
Quick follow-up. My cert auto-renewed for the first time yesterday but the RDS Gateway didn't re-bind. I found there is an extra step to get the post-install hook to run: you have to add the script to the Certify the Web dashboard under Advanced Settings. Then I found that there is a bug that prevents the post-install hook from running if your PowerShell policy restricts remote script execution. The poster there suggested a workaround. More details here:
https://www.mcbsys.com/blog/2019/05/certify-the-web-on-server-2016-with-essentials/
I will rewrite that guide and also include your suggestion. In addition to this, I will add a chapter on Lets Encrypt and Exchange Server 201x
Hmm, okay today I have a BPA warning stemming from the hostname added in the procedure:
Problem: A host name is assigned for port 80 on the default website. Impact: If a host name is assigned for port 80 on the default website, you may not be able to connect to some Windows Server Essentials web applications. A host name is not required and is not recommended in this situation.
Problem: A host name is assigned for port 80 on the default website.
Impact: If a host name is assigned for port 80 on the default website, you may not be able to connect to some Windows Server Essentials web applications. A host name is not required and is not recommended in this situation.
I removed remote.mydomain.com from IIS bindings and checked Certify The Web (CTW) under Certificate Domains. The domain was still listed.
I clicked Refresh. CTW re-read the IIS bindings, removing remote.mydomain.com and adding servername.
I deleted servername, manually typed remote.mydomain.com, and clicked Add Domains. remote.mydomain.com re-appeared in the list.
Hopefully that will "stick" there for the renewals, without the IIS binding.
Thanks Mark! I am doing my best to make this a nice place for us :)
Yes, I am aware of the differences of the new Certifify the Web version and the one I used when I wrote that guide a few months ago. You can tell CTW to not bind the certificate after a renewal, see screenshot.
Thanks Mariëtte. However I don't think that's what we want--if the new certificate is only placed in the Certificate Store, then it will not be served by https://remote.numinous-travel.com, right? The IIS binding must be updated with the new certificate.
Here's what I am trying:
It remains to be seen if (1) Let's Encrypt will re-issue a cert when it can't access port 80 (the original verification method) and (2) whether re-binding in IIS is enough to also re-bind for RD Gateway.
I see what you mean. As a matter of fact, I do not use http verification anymore. I have all my domains at Cloudflare and use their Api to directly update DNS records. No need for any binding at port 80. Looks like the guide needs a bit more retouching and updating.
Yeah I may need to switch to DNS too, though I'd need to do a manual update. We'll see how the automated thing works when the cert expires.