How to: Set up free SSL certificate of Let’s Encrypt for Umbraco

Let’s Encrypt SSL

Let's Encrypt is an initiative of the Internet Security Research Group (ISRG) supported by major parties such as Mozilla, Cisco, and the US Civil Rights Movement EFF. The service makes creating free SSL certificates possible. The certificates are valid for a maximum of 90 days, after which they must be renewed. The relatively short duration has two reasons: the organization thus stimulates the automation of SSL certificates and can quickly respond to changes. This is particularly relevant because several Certification Authorities, such as WoSign and the Dutch Diginotar, have recently had bad press.

In Let's Encrypt’s short period of existence already more than 24 million certificates have    been issued and this number is expected to sharply increase in the coming year. So will your Umbraco website also shortly have https? You will read how to do that below.

Letsencrypt-win-simple

To use Let's Encrypt you need a tool on your web server. For Linux there is the officially supported Let's Encrypt certbot tool. For Windows there are    various third party tools. In this example we use the easy-to-install letsencrypt-win-simple tool. 

Configure your Umbraco website as follows:

1. Download letsencrypt-win-simple and extract the files into c:\encrypt-win-simple\ on your web server.

2. Open Webconfig and add the .well-known folder to umbracoReservedPaths.
   <add key="umbracoReservedPaths" value="~/umbraco,~/install/,~/.well-known/" />

3. Start PowerShell as Administrator and launch the tool:
   C:\encrypt-win-simple>letsencrypt.exe

4. Select the domain for which you want to generate an SSL certificate from the list.

5. Finally, there is the question under which user account you want to perform your task, which automatically renews the certificates every 3 months. You can create an account specifically for this or use the default Administrator account by selecting "N".

How does the tool work?

Let's Encrypt is based on the ACME protocol. The ACME protocol uses a DNS entry or a static web page on the domain to verify that you own that domain. The configuration example given here works with a static page as follows:

1. The tool launches an application for the SSL certificate.

2. The server indicates that a specific file must be created for authentication.

3. The tool creates this specific file, which can be found in the .well-known directory.

4. The file will be checked and the SSL certificate is issued.

Redirect http to https in IIS

Your certificate is now ready for use and letsencrypt-win-simple ensures that it will automatically be updated every 90 days. But you are not there yet. A redirect must be set so that all website visitors always use the secure connection. You can do that in IIS.

Download 'url rewrite' and add the following code to the web.config:

<system.webServer> 

<rewrite> 

<rules> 

<rule name="Redirect to HTTPS" stopProcessing="true"> 

<match url="(.*)" /> 

<conditions> 

<add input="{HTTPS}" pattern="^OFF$" /> 

</conditions> 

<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> 

</rule> 

</rules> 

</rewrite> 

</system.webServer>

Open your browser and visit your website. If you have completed all the steps correctly, you will see the green lock in the address bar. Your Umbraco website has been encrypted!

Evaluation

There are pros and cons of using Let's Encrypt and the tool letsencrypt-win-simple. Below is our experience.

Benefits:

• Gratis en goed alternatief voor betaalde ‘Domain Validated’ certificaten
• Eenvoudig te implementeren
• Eenvoudig uit te voeren met de tool

Disadvantages: 

• The letsencrypt-win-simple tool has not been updated in recent months. It is possible that when Let's Encrypt changes the application process the tool will not work properly anymore.
• The Let's Encrypt Certificates are not yet an alternative to the Organization Validated and Extended Validated Certificates.