I used commercial SSL certificates for my IIS websites for many years and manually renewed them. Because of the upcoming shorter certificate lifetimes, I now tested Certify The Web with Let’s Encrypt on one of my IIS test sites.
Everything seems to work fine:
certificate created successfully
IIS binding updated automatically
valid Let’s Encrypt / R13 certificate shown in browser
renewal tasks also seem to be configured correctly
From what I understand, the ACME challenge is handled directly via:
.well-known/acme-challenge/
Is this considered a normal and reliable long-term production setup for IIS websites?
Anything important I should still watch out for before using this for more websites? If everything looks good, I would of course purchase the commercial license for my production/commercial sites.
Yes, the default http-01 HTTP domain validation is the simplest way to validate your domain and is what the majority of people use. A key thing with that is to not then go and block TCP port 80 just because https is working, you still need TCP port 80 for the http challenge response. The alternative to HTTP domain validation is DNS domain validation, which some people prefer.
In terms of being a normal and long-term production setup, there are well in excess of half a million certs being renewed by the app (we only know an approximate figure), and the app has been around (with regular updates and improvements) since 2015.
By default, if a renewal starts to fail the app with send a status reporting to our API which will in turn notify you of the failures using the email address you initially specified when setting up the Let’s Encrypt account.
You should periodically ensure you are using the latest version of the app, because things can and do change.
If you have larger scale certificate management requirements please also see Certify Management Hub, which is useful when you are managing certs across many servers.