Create a binding if it doesn't already exist when renewing a certificate

Currently if a certificate is created and the binding does not already exist in IIS, then no binding occurs. I would like to set it up so that when a new certificate request happens it checks to see whether there is an appropriate binding in IIS and if there is not, one is created.

I tried adding the following script to a PreDeployment that I am using:

$domain = $result.ManagedItem.CertRequestConfig.PrimaryDomain
$binding = Get-WebBinding -Name "sitename" -HostHeader $domain
if (!$binding)
    Write-Output "Creating Binding for $domain"
    New-WebBinding -Name "sitename" -IPAddress "*" -Port 443 -HostHeader $domain -Protocol https -SslFlags 1
    Write-Output "Binding Already Exists for $domain"

However, nothing seems to happen (other parts of the script are running fine so I know it is being called). There is not even any output in the logs.


That depends on your existing website binding configuration in IIS. The app will create https bindings for you if you have a matching http binding on the same hostname. If on the other hand you have no hostname bindings then no it won’t create a new https binding on the hostname for you. If you have an existing https binding on your site (matching the hostname or using the previous certificate) this will be updated instead.

I think your script doesn’t work because you can only create an https binding if you specify the certificate hash/thumbprint of an already installed certificate [the script also shouldn’t be required at all].

Perhaps you could share more about your website configuration and if you have used any special binding options in Certify The Web. The default/auto configuration suits most people.

You can see what bindings Certify will update/create in the Preview tab, at the bottom in the Deployment section. If you expect a binding to be created/update it will show there, if not then your configuration is incorrect (or in some way unsupported).

In my case, IIS is running a multi-tenanted platform which has many hundreds of domains. I am basically trying to automate the domain binding / encryption process as best as I can. So I was thinking that I could use the importcsv command to load a list of new domains into a server and then certify would create the bindings on the IIS site and then allocate the certificate.

btw - the New-WebBinding PowerShell works just fine without an existing certificate - if I run it manually for a specific host it creates a binding with no SSL (something that you can only do via PowerShell; not the UI).

I would alter the PowerShell to be in the PostDeployment and have it include the certificate but Letsencrypt won’t be able to verify the domain until after I have the binding on the server -

So yes, Certify does not create http bindings for you, but it will create corresponding https bindings for existing http bindings.

If you are using the standard (built in) http challenge server that comes with Certify The Web then you don’t need an initial IIS binding (http or https) to complete validation. The app temporarily registers a listener for the /.well-known/acme-challenge/* path in front of IIS in the http.sys pipeline which just handles the Let’s Encrypt challenge responses it knows about.

It will help if you do have an http hostname binding for each domain, as then Certify knows to create a corresponding https binding with the new certificate against the correct IIS site.

One workaround is you could use the same CSV file to batch create http bindings, then import to Certify. Then once all your https bindings have completed you can use the same CSV file to batch delete your http bindings (if you don’t want them).

Interesting - I didn’t realize that Certify was doing that with its built in challenge server - quite ingenious!

I agree with your suggestion about creating the bindings - that’s what I’ll do!

1 Like