This release marks a major update of the validation stage, which is now decoupled from the target acquisition and installation stages of the program. This has made it possible to add support for DNS and TLS validation.
Validation plugins
After choosing a target you will now be presented with a second menu to choose your validation options. There are plenty to choose from, though not all of them will be available of every target. In unattended mode you can pick a validation plugin using the --validation switch. If not specified we stick to the default one (FileSystem).
HTTP
| Name | Description |
|---|---|
| FileSystem | The classic way to go, with some small improvements such as the option to copy the web.config file when using a manual target. |
| IIS | Configure a temporary application in IIS to handle validation requests, see below for more details. |
| Ftp | The legacy plugin re-invented as a way to publish files, but now capable of all the goodness that should be expected, such as running unattended, renewing and installing the resulting certificate. |
| WebDav | See above. |
| SelfHosting | Not running any web server? Why not let us run one for you. Contributed by @dazerdude. |
DNS
| Name | Description |
|---|---|
| Azure | Automatically create and delete records in the Azure DNS service. The essence of this code was contributed by @olivermue. |
| Scripted | Do-it-yourself support for any DNS provider which offers an API. You provide the path to a script/program that creates a record and one that deletes a record. LEWS takes care of the rest for you. |
TLS-SNI
| Name | Description |
|---|---|
| IIS | Creates a temporary binding in IIS, preferable in the site that's being validated, but in case of manual input it will create a temporary website specifically for the purpose of answering the TLS-SNI challenges. |
IIS validation mode
A big pain for FileSystem validation is getting the IIS configuration right. Not all servers have the same modules installed and in most cases local web.config files are not allowed to change crucial settings which are required for the ACME server to access the validation file. This put us between a rock and a hard place: too much configuration in the default web.config and crash due to locked sections and missing modules, or too little configuration and force each new user to struggle with the known issues by themselves.
v1.9.7 offers a different solution. The new IIS validation mode goes directly to the IIS server manager and tells it to make exceptions for the website that you're using for validation. This means that we don't have to unlock sections that Microsoft locked by default (for good reason) and that we can use feature detection to prevent errors. Specifically, it changes the following settings for the .well-known folder.
- Remove all non-global modules
- Configure the httpHandlers in the right way (StaticFile)
- Enable anonymous authentication
- Disable the "Require SSL" setting
- Allow unlisted clients in the IP security section
- Disable UrlRewrite (if installed)
Other settings, such as mimeType and authorization are still done locally with the web.config, so you can also still customize or override settings if needed.
Renewals
Users will no longer have to dig through the event viewer to figure out what's happening with your renewals. You can now get a summary of that information from the main menu, where the successes and failures can be summarized per certificate.
LEWS uses this data itself to determine with a high degree of confidence which certificates it has previously created. This does not only prevent accidental removal of other certificates with similar friendly names, but allows us to search IIS for bindings which use the certificate outside of the original target. This allows you to link the certificate to a places such as the empty binding on the Default Web Site, yet still have it automatically renew when the time is there.
Bug fixes and other small improvements
- #280 - Install the intermediate certificates, so that a full chain can be built up
- #290 - Consider all bindings which use the certificate, not just the first one
- #293 - Add check to test if .NET Framework 4.5 is installed
- #380 - Re-creating the scheduled task for a specific user requires them to re-enter the password...
- ...also do not crash when the password is incorrect, but simply prompt for a retry
- #420 - Convert private key to Microsoft RSA SChannel Cryptographic Provider for compatibility
- #429 - Option to choose on which port to create new HTTPS bindings by @jlafitte
- #450 - Fix bug in determination of the .well-known path for the FTP plugin
- Use the latest version of ACMESharp, allowing us to...
- #488 - Switch to BouncyCastle from OpenSSL as the library to generate certificates
- Main menu option to run a specific renewal
- Don't (re)validate when the host has already validated
- Don't ask "Would you like to start again" every time
- ...many more