Just grab the latest code here:
unpack it into a folder you will keep (I used “E:\Let’s Encrypt”), and run letsencrypt.exe in the folder. The multi-site (SAN) mode works only if IIS is set up in certain ways; but the manual mode for a single site is simple and easy, and it sets up a scheduled task in Windows for the needed automatic updates.
Comes highly recommended:
Here are two very helpful sources. For many general things, the EPEL repository:
and for PHP and other server-specifics, current versions and others more recent than the OSes supply by themselves, Remi:
This one courtesy of the amazing Mike Hunsinger.
- Run the web site SSL test here, specifying the URL to study:
- A rating of A through F, or T, will be reported. T means a fundamental problem with the certificate install itself.
An A rating means the server is set to only accept protocols such as TLS1.2, that are currently recognized as secure. Anything below an A rating means the server responded on SSL or other protocols considered insecure.
Scroll down on the SSL Labs rating page to see the technical details on what protocols were detected and which are failing security checks.
If this is a Windows web server, remote in and:
- Download the portable app, IISCrypto from here:
Run this program on the server which hosts the website.
You’ll get a window showing all protocols that are on this server and whether they’re enabled or not. To achieve an A rating, use the details view from SSL Labs as a guide. Disable any protocols in IIS Crypto that SSL Labs flags as a security risk. Only do these after verifying that the web site / web application will certainly work with the newest protocols and does not depend on the older ones.
The protocols that a Windows webserver will accept are specified via Regedit entries. IIS Crypto reads and modifies these Regedit entries automatically.
- Reboot the webserver. Then retest with SSL Labs. Make further changes as dictated by the scoring detail.
- If you have control over workstations, use Group Policy to deploy the certificate to all of them, and to disable insecure protocols, and to enable the secured protocols.