Installing the Lets Encrypt certificate using Win-ACME v2 on Windows Server.

Let’s Encrypt is an issuer of free SSL certificates, went into operation at the end of 2015. The CA certification authority for free certificates enjoys great popularity, initially for Linux, it is now also available for Windows. Win-ACME 2 can also largely automate the management of SSL/TLS certificates.

How to Install Win-ACMEv2

ACMEv2 does not include a setup for installation. The win-acme package is downloaded from here to the server and unpacked into any directory. The directory should not be modified after that because the path is needed for recertification.

As with the previous version, the current version is a command-line tool with menus, so that it can also be run under Server Core. win-acme is started by calling wacs.exe.

Request Lets Encrypt Certificate

When you interactively request a certificate with win-acme via Simple Mode, the process is largely the same as with the previous version 1. This example runs Win-ACME 2 on a Windows Server 2019 with the IIS role.

To verify the domain, this is where the binding is configured from the Internet Information Services (IIS) Manager – InetMgr.exe.

Run win-acme on Windows Server to create certificate

After running wacs.exe select the option No to create a new certificate with the default settings. win-acme searches for the bindings in the IIS. If no bindings are configured, win-acme cancels the operation.

Win-ACME Lets encrypt acme Console on Windows - letsencrypt.exe

In the next step, you select the IIS website for which you want to request and issue the certificate.

The next step is to decide whether to use all bindings or only specific IIS Web sites. In the second case, you select them via a filter.

win-acme http-01 method

After further confirmation, the certificate request starts. To verify the authority of the domain, win-acme uses the http-01 method. The client receives a token from Let’s Encrypt, which it writes to a file on the local server, which is then read out by Let’s Encrypt.

Let’s Encrypt expects to read the token from the file via HTTP. Therefore, win-acme on the firewall requires the release for port 80 to the server.

win-acme certificate is located in certificate store

The certificate is located in the server’s certificate store after the operation completes successfully. In addition, win-acme stores the certificate in PEM and PFX format under the following path.

C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org

The authority of the domain for which you request a certificate must be proven not only at the initial issuance, but also every 3 months for the renewal of the certificate.

In most common situations, it is not desirable for a server to be permanently accessible from the Internet only to request a certificate without protection on port 80. Here the use of a proxy or a temporary port release should be considered.

win-acme DNS-01 method

To bypass the passing of port 80 on the firewall, there is the option to change the challenge instead of http-01. DNS-01. Particularly it is useful where the token is entered as a TXT record in the DNS.

_acme-challenge.<MEINE_DOMAIN>

This method also has the advantage that wildcard certificates can be issued. The prerequisite for DNS-01 is of course that the domain in question is hosted externally. And is therefore accessible for Let’s Encrypt.

Windows Master Browser Lookup for NetBIOS Name and Elected Master Browser

The folders and printers shared by Windows clients appear in the client network environment. If the network environment remains empty, it is often the computer browser service. Windows attempts to view all PCs on a Windows network in the network environment.

Windows Workstation Service

First, you need to make sure that a Windows network is working properly at all. The Windows Workstation Service and Server services must be running, and the network connection properties must have file and printer sharing and the Microsoft Network Client active, and TCP/IP over NetBIOS must be enabled.

Note that clients that are not in a domain are in the same workgroup, the WORKGROUP and WORKING GROUP are different groups. If all this does not yet lead to success, one should search for the computer on the network, which has been delegated to the master browser.

NetBIOS Name Information

The NBTscan is a program for scanning IP networks for NetBIOS name information. It sends a NetBIOS status query to any address in the specified range and lists received information in a human-readable form. For each responding host, the IP address, NetBIOS computer name, user name, and MAC address of the computer are displayed.

C:\> nbtscan -s: -h -v 192.168.10.0/24

To discover the master browser on a local network, the following content can be created in a batch file.

@Echo Off
Title Master Browser Lookup & Color 1A
call :IsAdmin

if not [%1]==[] goto lookup
echo use: nbt [ip address range]
echo example: nbt 192.168.10.0/24
goto:eof

:lookup
nbtscan -s: -h -v %1 | find "Master Browser"
for /f "delims=" %%A in ('nbtscan -s"   " -h -v %1 ^| find "Master Browser"') do set "var=%%A"
echo .
echo Elected Master Browser on %var:~0,15%
echo .
nbtstat -A %var:~0,15%
pause

:IsAdmin
Reg.exe query "HKU\S-1-5-19\Environment"
If Not %ERRORLEVEL% EQU 0 (
 cls & echo You must have administrator rights to continue ... 
 pause & exit
)
cls
goto:eof

Using Copy Paste to the batch file .bat save and, when the IP network is committed, run as an administrator in the command prompt, the program nbtscan.exe and cygwin1.dll must be in the same directory, or the path to the program must be in the search path environment.

Download NBTScan

Master Browser Delegation

Often it helps when the PC of this is the master browser on its network to restart, so the choice to delegate another computer is triggered. Microsoft sets priorities here, by regulating the assignment (election) to the master browser is granted. Administrators don’t just want to leave it to random rules about who master browser should be, to do so, you open Regedit and go to the following key.

HKEY_LOCAL_MACHINE-SYSTEM\CurrentControlSet\Services\Browser\Parameters

Edit the REG_SZ MaintainServerList key and set it to FALSE or TRUE, for disable or enable. For Windows XP and Server 2003, the REG_SZ key is IsDomainMaster with value FALSE / TRUE, and MaintainServerList with the value AUTO / NO / YES. The change does not take effect immediately and may take up to 48 minutes.

Linux Samba Master Browser

For Linux, the Samba configuration file smb.conf is responsible, in the following example, a Samba server with the highest priority is chosen as the master browser, suitable on a network without Windows PDC. In networks in these there is a Windows PDC it is not recommended.

[global]
    domain master = yes
    preferred master = yes
    local master = yes
    os level = 255

Computer browser service architecture — Illustration: Computer Browser Service Architecture

NBTStat is a command-line tool for troubleshooting NetBIOS name over TCP/IP (NetBT) resolution issues, it is part of the Windows standard. It shows protocol statistics and current TCP/IP connections with NetBT.

C:\> nbtstat -A 192.168.10.73
LAN connection 1:
Node IP[192.168.10.73] address: Rang[]e ID: 

NetBIOS name table of the remote computer

    Name          Type  Status
    ---------------------------------------------
    AMX3000       <00>  CLEAR  Registered
    WORKGROUP     <00>  GROUP  Registered
    WORKGROUP     <1C>  GROUP  Registered
    AMX3000       <20>  CLEAR  Registered
    WORKGROUP     <1B>  CLEAR  Registered
    WORKGROUP     <1E>  GROUP  Registered
    ADMINISTRATOR <03>  CLEAR  Registered

    MAC Adresse = 00-0B-AB-0B-11-8E

NetBIOS name tables type <00> is output in hex.</00>

<00> specifies the domain to which this computer belongs
<03> Computer name assigned to the messenger service
<20> Computer name assigned to the server service
<1C> Internet group name registered with domain controller
<1B> Identifying a domain master browser name
<1E> Computer can be used as a backup browser in the domain
<03> Username currently logged on to this computer
<1D> Identify segment master browsers without a domain

UNBLOG Tutorials

Tag Archives: Windows Tutorial

How to Install Lets Encrypt on Windows Server