Let's Encrypt certifcate for MS CRM using IIS

Question

I am installing an instance of MS CRM 2015 on-premise, on a Win 2012 R2 Server, IIS 8.5.

I would like to use the Let's Encrypt service to generate certificates for crm.example.com on this server.

Let's Encrypt would like to use the .well-known/acme-challenge directory for validation. MS CRM has taken over the Default website and redirects requests to its website folder, using Windows authentication.

Is there a way to whitelist the .well-known/acme-challenge folder within the CRM website, so as to avoid authentication?

I have tried adding a location section in the web.config, but IIS throws an error because the path starts with a dot.

https://stackoverflow.com/questions/10351075/allow-anonymous-authentication-for-a-single-folder-in-web-config

I have tried adding a handler to solve that problem, as in:

https://stackoverflow.com/questions/11728846/dots-in-url-causes-404-with-asp-net-mvc-and-iis but I get the same error there.

As an alternative, Let's Encrypt can be validated using DNS, but I am not really up to that, and I can't find evidence that my provider has an API for that purpose.

Do I have any other options?

Answer 1

Thanks to @Peter Hahndorf for the workaround, to @benadams letsencrypt fixes for IIS for the syntax, and to @Mike Ratcliffe (editing ApplicatonHost.config)

If you want Let's Encrypt to write to a ./well-known subfolder of CRM website, create the subfolder first and the change the configuration as follows.

Edit the ApplicationHost.config (the main IIS config fil), mine was under Windows/System32/inetsrv/config. If you are running a 64-bit edition of Windows, you must use a 64-bit editor (I used Windows Notepad).

I added/changed the following lines in the <location path="Microsoft Dynamics CRM/.well-known"> section.

<system.webServer> <validation validateIntegratedModeConfiguration="false" /> <staticContent> <mimeMap fileExtension=".*" mimeType="text/plain" /> <mimeMap fileExtension="." mimeType="text/plain" /> </staticContent> <handlers> <clear /> <add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" /> </handlers> <security> <authentication> <anonymousAuthentication enabled="true" /> </authentication> </security> </system.webServer>

This allows anonymous authentication and any user access to a path starting with a dot, under the CRM default website.

With this setup I could request a certificate using letsencrypt-win-simple PowerShell script.