Securing SmarterTrack With Let's Encrypt

SSL is an integral part of today’s web experience. Sites like Google penalize sites -- ANY sites -- that do NOT use SSL, so having a solid SSL implementation for any of your domains means your users will have safe and secure browsing experience. In addition, it eliminates that pesky “Safe Browsing” warning that Google displays for sites that don’t utilize SSL and that tend to scare users.

Let’s Encrypt is a free, open, and automated Certifying Authority. Unlike places such as GeoTrust or Trustwave, the SSL certificates issued by Let’s Encrypt have zero cost. However, their certificates are just as secure and reliable as paid certs. The difference is that Let’s Encrypt is like any open-source product: while free, it may lack some of the nuances of paid services. That’s to say that using a Let’s Encrypt cert is slightly more work than using something from GeoTrust. For example, you have to “enroll” the certificate in the server’s Certificate Store plus you have to handle automated renewals of the Let’s Encrypt certificate. Even with the limitations, the effort required for using Let’s Encrypt is well worth it. Below we’ll run through how we’ve implemented Let’s Encrypt for our installation of SmarterTrack and how we’re handling both the enrollment of the cert AND the automated renewal.

Using Certify and Let's Encrypt to secure SmarterTrack's web interface
One solution for requesting Let’s Encrypt certificates is to use the Certify client to handle the enrollment of the certificate as well as the automatic renewal.

Configuring the Certify Client
Once certify has been installed on the server the instructions below will walk you through configuring the certificate automatically based on the IIS settings.

1. Launch Certify.
2. Select New Certificate in the upper left-hand corner.
3. The ‘New Managed Certificate’ section will then load.
4. Select your ‘SmarterTrack’ IIS site.
5. Customize the Name if desired.
6. Ensure the checkbox for ‘Enable Auto Renewal’ is enabled.
7. Select the Primary Domain name for the desired domain.
8. Select the desired Alternative Subject\Domain names to secure your secondary domains. Please note if you are not seeing the desired hostnames in this list, you will need to add an IIS binding for this hostname so that Certify can detect it.
9. Click Request Certificate. At this point Certify should kick off the domain verification process. Once complete the site will be updated with the new SSL bindings and certificates within IIS.

That's it! Once you've completed these steps you should be able to access your SmarterTrack web interface URLs using HTTPS successfully, and the configured certificate will automatically renew as necessary.