Introduction
With our setup of an RDS and RDG. We can’t use it as they have self-signed certs. The way to fix that is by using Win-ACME to generate valid Letsencrypt certs and automatically install them on RSG and IIS.
Installing Win-ACME
Download the zip here: https://www.win-acme.com/; I like to extract it from the \inetpub\win-acme folder.
After the folder is extracted to automate the process, we will use the pre-generated script from Advanced usage\Remote Desktop Services[https://www.win-acme.com/manual/advanced-use/examples/rds]. Make sure to replace the values to match your environment.
wacs.exe --source manual --host rds.ata.al --certificatestore My --installation iis,script --installationsiteid 1 --script "Scripts\ImportRDSFull.ps1" --scriptparameters "{CertThumbprint}"If it works correctly you will get the following output
PS C:\inetpub\win-acme> .\wacs.exe --source manual --host rds.ata.al --certificatestore My --installation iis,script --installationsiteid 1 --script "Scripts\ImportRDSFull.ps1" --scriptparameters "{CertThumbprint}"
A simple Windows ACMEv2 client (WACS)
Software version 2.2.6.1571 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme
Running in mode: Unattended
Source generated using plugin Manual: rds.ata.al
Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.3-September-21-2022.pdf
Open in default application? (y/n*) - no
Do you agree with the terms? (y*/n) - yes
Enter email(s) for notifications about problems and abuse (comma-separated): certs@ata.al
Plugin Manual generated source rds.ata.al with 1 identifiers
Plugin Single created 1 order
[rds.ata.al] Authorizing...
[rds.ata.al] Authorizing using http-01 validation (SelfHosting)
[rds.ata.al] Authorization result: valid
Downloading certificate [Manual] rds.ata.al
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] rds.ata.al @ 2023/11/16 to store My
Installation step 1/2: IIS...
Updating existing https binding :443 (flags: 0)
Committing 1 https binding changes to IIS while updating site 1
Installation step 2/2: Script...
Script Scripts\ImportRDSFull.ps1 starting with parameters XXXXXXXXXXXXXXXXXXXX
Script finished
Adding Task Scheduler entry with the following settings
- Name win-acme renew (acme-v02.api.letsencrypt.org)
- Path C:\inetpub\win-acme
- Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
- Start at 09:00:00
- Random delay 04:00:00
- Time limit 02:00:00
Adding renewal for [Manual] rds.ata.al
Next renewal due after 2024/1/11
Certificate [Manual] rds.ata.al created
PS C:\inetpub\win-acme>If you visit the URL in a broswer, you will be able to see the valid Cert
