[resolved] Cert on Windows Server for OSTicket

arielzusya

I’ve been using OSTicket on an old server in our MS Windows environment. When traffic is just local (behind our firewall) I don’t mind using self-signed certs but I’ve been thinking about opening access up to the outside so my users can submit tickets when not on our network. I’d prefer not to spend money on a cert; I’d much rather use a Let’s Encrypt cert. Trouble is I’ve never done that on a windows server. I did some poking around and learned that the easiest way is to use Win-Acme to automate getting and renewing certs. The alternatives to that would be to either do it manually or to write a powershell script but I don’t want to invest the time or effort into doing either if I can avoid it. I downloaded the app from https://www.win-acme.com/ and ran it but it gets as far as requesting the cert and fails. It shows pending. Anyone have any experience with either using Win-Acme or some other method of accessing Let’s Encrypt certs with OSTicket on a windows server? (The server, btw, is Windows Server 2012 Standard—not r2–and the web server is just IIS. OSTicket is the latest—1.14.1.) Thanks!

ntozier

Honestly, this does not appear to be an osTicket question.
It appears to me to be a how do I use Let'sEncrypt (Win-Acme) on a Windows Server with the IIS 8.0 webserver software.
note: it is my recollection that 2012 comes with IIS 8.0, and 2012 R2 comes with IIS 8.5, but please correct me if I am wrong.

If it were me (and I have tried to do this on Windows and gave up a couple years ago now) I would google something like win-acme iis 8.0.
The first hit in my search is:
https://miketabor.com/how-to-install-a-lets-encrypt-ssl-cert-on-microsoft-iis/

While I have not used this article personally it looks pretty well written and includes screen shots. Once you install it and configure your server to use it you simply go to the Admin panel -> Settings -> System and change your Helpdesk URL from http:// to https://

Please let us know how you make out or if we can be of further assistance.

arielzusya

So... as it happens, it is a bit of a mixed bag. Like so many things in an IIS setup, it is temperamental. After editing the json file a few times and getting everything configured right for win-acme, I was still getting errors. So... even though the site is only accessible on 443, to make win-acme work you have to have 80 traffic pointed at your osticket site as well. It then becomes important that you don't get lazy here and actually set up the correct rewrite rules to ensure that all http traffic is rewritten to https traffic. The next thing I learned is that having the IIS admin panel open seems (inexplicably) to interfere with win-acme installing the cert and setting up a task to update it again when it expires. It also seems important to restart the entire site in the IIS admin panel before running win-acme. BTW, it is important to put a site name into the 443 bind in iis--simply having a wildcard is insufficient with win-acme (at least for the automated version of it). Once you get passed all of those issues, it was pretty easy all things considered and now my I feel good about giving my users access to osticket from outside the office network.

ntozier

arielzusya BTW, it is important to put a site name into the 443 bind in iis--simply having a wildcard is insufficient with win-acme (at least for the automated version of it).

^ Now this I would have never thought of and probably where I ran into trouble. Thanks for posting your findings.

Should I mark this as resolved and close the thread?

arielzusya

Yep. All resolved. One more note. This one doesn't prevent it from working but will toss up errors. Because I still had some users using the local fqdn to get to the server, I needed a bind record for server.local. Let's encrypt won't issue certs for a local fqdn. If you go through the prompts in win acme make sure to not submit all bound ports for certs. Even though it will pull the cert for external domain it will error out on the local domain and if you have email reporting configured, it will send you an error for that local. Apart from that, no additional notes. Feel free to close the ticket. Thanks!