2

I am installing an instance of MS CRM 2015 on-premise, on a Win 2012 R2 Server, IIS 8.5.

I would like to use the Let's Encrypt service to generate certificates for crm.example.com on this server.

Let's Encrypt would like to use the .well-known/acme-challenge directory for validation. MS CRM has taken over the Default website and redirects requests to its website folder, using Windows authentication.

Is there a way to whitelist the .well-known/acme-challenge folder within the CRM website, so as to avoid authentication?

I have tried adding a location section in the web.config, but IIS throws an error because the path starts with a dot.

https://stackoverflow.com/questions/10351075/allow-anonymous-authentication-for-a-single-folder-in-web-config

I have tried adding a handler to solve that problem, as in:

https://stackoverflow.com/questions/11728846/dots-in-url-causes-404-with-asp-net-mvc-and-iis but I get the same error there.

As an alternative, Let's Encrypt can be validated using DNS, but I am not really up to that, and I can't find evidence that my provider has an API for that purpose.

Do I have any other options?

Arun Vinoth - MVP
  • 314
  • 1
  • 3
  • 15
simonpa71
  • 220
  • 1
  • 14
  • "*so as to avoid authentication?*" you mean "to avoid redirection", right? – techraf Aug 09 '16 at 14:07
  • Have you tried using `` in ApplicationHost.config rather than web.config, that seem to work for me – Peter Hahndorf Aug 09 '16 at 18:35
  • @Peter, good suggestion. I can change the authentication settings from `` in ApplicatonHost.config (beware editing with 32 bit editor). I still get a 401 for extensionless files. – simonpa71 Aug 10 '16 at 14:29
  • @techraf, I am learning something of the innards of CRM, but I am not too sure about the actual page serving and authentication sequence. What I know is that the default response for the site is to show an authentication pop-up that I don't want for the ACME challenge. – simonpa71 Aug 10 '16 at 14:39

1 Answers1

2

Thanks to @Peter Hahndorf for the workaround, to @benadams letsencrypt fixes for IIS for the syntax, and to @Mike Ratcliffe (editing ApplicatonHost.config)

If you want Let's Encrypt to write to a ./well-known subfolder of CRM website, create the subfolder first and the change the configuration as follows.

Edit the ApplicationHost.config (the main IIS config fil), mine was under Windows/System32/inetsrv/config. If you are running a 64-bit edition of Windows, you must use a 64-bit editor (I used Windows Notepad).

I added/changed the following lines in the <location path="Microsoft Dynamics CRM/.well-known"> section.

<system.webServer> <validation validateIntegratedModeConfiguration="false" /> <staticContent> <mimeMap fileExtension=".*" mimeType="text/plain" /> <mimeMap fileExtension="." mimeType="text/plain" /> </staticContent> <handlers> <clear /> <add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" /> </handlers> <security> <authentication> <anonymousAuthentication enabled="true" /> </authentication> </security> </system.webServer>

This allows anonymous authentication and any user access to a path starting with a dot, under the CRM default website.

With this setup I could request a certificate using letsencrypt-win-simple PowerShell script.

simonpa71
  • 220
  • 1
  • 14