IIS configuration

All of the following should only be applied to the /.well-known/acme-challenge/ path. Don't do any of this at the root of the server or the website, because it might break your application(s).

Relevant settings

CMS

Your CMS might intercept the request and redirect the user to an (error) page. The solution is to configure your CMS to allow unlimited access to the challenge path.

Handlers

IIS might not be configured to serve static extensionless files. Go to “Handler Mappings” > “View Ordered List” and move StaticFile above the various ExtensionlessUrlHandlers.</p>

MIME types

IIS should serve extensionless files with the MIME type text/plain.

Request filtering

Unlisted file extensions and high bit characters should be allowed.

Authentication

Your website might require NTLM, client certificates or other authentication methods. Enable anonymous authentication to allow access from the ACME server.

SSL

Your website might be configured to exclusively accept HTTPS traffic, while the validation request comes in on port 80. Disable the “Require SSL” setting to fix that.

IP/Domain Restrictions

Your website might use IP Address and Domain Restrictions to provide extra security. The ACME server will have to bypass though. (Let’s Encrypt does not publish a list of IP addresses that they can use for validation.)

URL Rewrite:

If you are using URL Rewrite the validation request might get caught up in that, so you may need to make an exception for the challenge path. For example like so:

<rule name="ACME validation" stopProcessing="true">
    <match url="^\.well-known.*$" />
    <action type="None" />
</rule>

MVC

For MVC sites you might need the following:

<configuration>
    <system.webServer>
        <staticContent>
            <clear/>
            <mimeMap fileExtension = ".*" mimeType="text/json" />
        </staticContent>
        <handlers>
            <clear />
            <add name="StaticFile" 
			path="*" 
			verb="*" 
			type="" 
			modules="StaticFileModule,
			         DefaultDocumentModule,
					 DirectoryListingModule" 
			scriptProcessor="" 
			resourceType="Either"
			requireAccess="Read" 
			allowPathInfo="false" 
			preCondition="" 
			responseBufferLimit="4194304" />
        </handlers>
    </system.webServer>
</configuration>

Testing

Use --test mode and external servers like https://letsdebug.net/ to verify your configuration.

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.