Let’s Encrypt is a free, automated, and open Certificate Authority. It allows you to get an SSL certificate for your domain for free. The procedure is very simple and you can get a certificate in a minute! (but it may require some configuration or code if you use ASP.NET Core…)
First you need to download letsencrypt-win-simple and copy it on the server. Then execute it:
You’ll be prompt to select which website you want to get a certificate for. Select the appropriate number (or all). After a few seconds, you may get this red message indicating that something wrong append:
To get a certificate, let’s encrypt verify that you own the domain by requesting a file on your server. In this case, the file is not accessible (status 404). Let’s understand what happened.
IIS get the request, and find the associated web site. Then it executes handlers in order until one send the response. ASP.NET Core handler is the first to handle the request.
The challenge file is in the folder “.well-known/…”, but by default ASP.NET Core serves only files located in the folder “wwwroot” => so, a 404 response is send to the client. ASP.NET Core has handled the request; therefore, the IIS Static file handler is not called.
As a workaround, you can move up the “StaticFile” handler, but your website may not work as expected. A better solution is to instruct your ASP.NET Core website to send the file located in the directory “.well-known”. This is possible by registering it:
public class Startup
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
app.UseStaticFiles(); // wwwroot
FileProvider = new PhysicalFileProvider(Path.Combine(Directory.GetCurrentDirectory(), @".well-known")),
RequestPath = new PathString("/.well-known"),
ServeUnknownFileTypes = true // serve extensionless file
Now, you can execute LetsEncrypt.exe and ask for a certificate:
By default, Let’s encrypt generates certificates with a key length of 2048. You can increase it to 4096 (key length recommendations) by modifying the configuration file “letsencrypt.exe.config”:
<setting name="RSAKeyBits" serializeAs="String">
Also, it strongly recommended to enable HSTS (HTTP Strict Transport Security) to ensure all the requests use https protocol.