Same server with both IIS and Apache


I have a server with Apache bound to http 80/https 443 and IIS bound to http 81/https 444.

I have installed certifytheweb and can only use http challenge.

I set up the IIS site and set using changed the challenge to use port 81:


However now I want to set up the Apache server, how do I configure that to use port 80? There seems to be only one setting.

Or is this not possible?

Or do I have to copy the IIS certificate to the Apache server manually, since they are both using the same domain name?


I’m assuming you have yet to manage to get a certificate using this configuration. So there’s a couple of things going on here. You want to validate over http in an environment with competing http listeners and you want to deploy your certificate to multiple services (IIS and Apache).

When Let’s Encrypt (the certificate authority issuing the certificates) attempts to validate your domain control using http it will ask the app to make a challenge response file available at<a file name>

It will first try port 80, then follow any redirect you have (to https), this is not configurable and is a hard rule of the http-01 challenge specification. As apache on windows does not support http.sys http prefix listeners (and keeps port 80 all to itself) the built in http challenge server can’t be used.

So to validate over Apache you need it to answer the http challenges (first disable the http challenge server in Settings) and to do that you need to set the website root setting (under Authorization) to your apache site root and uncheck Perform web application auto config.

The app will then write the file out to a text file like /.well-known/acme-challenge/abc123 and your Apache instance must respond with that file when requested (which can take some extra configuration on your part or may work fine).

Once validation completes LE will be happy to issue a certificate, so the next step is configuring deployment. By default we expect IIS, so if you look under Preview at the bottom of the Deployment summary we detail the binding changes we’re going to make, these should be OK for IIS (if not then you need to examine the deployment config, in general we match on hostname bindings that match the domains in the cert).

To deploy to Apache in the current version of the app you will need an additional deployment script using Scripting (see Show Advanced Options). This script (which you provide) will need to convert the pfx file we have into .crt and .key files (usually) using a tool such as OpenSSL. See the script examples in this thread: Filezilla Server PS Script

In your apache config you will need a standard SSL setup to point to these files.

When automatic renewal takes place the IIS deployment will happen and the apache scripting will run again. You may want to have scripting to restart apache as part of that.

In the next major version of Certify The Web several deployment tasks are being added including Apache, nginx or other certificate/key exports which will remove the need for some scripting. https binding creation is not automatic for Apache and you need to configure that in the Apache config yourself.