Using a Free Let's Encrypt SSL Certificate with the Dynamics NAV Web Client

Let’s Encrypt is a relatively new open source certificate authority that provides free SSL certificates. These certificates can be used to secure your Dynamics NAV installation.

Since you’re reading this post you have probably been through the process of signing up for a paid certificate from some authority in the past and then manually installing it on your website or Dynamics NAV installation.

While SSL certificates from commercial authorities are relatively cheap, the process of manually installing and renewing them is cumbersome and expensive if you value your time. Besides, who didn’t try to have an SSL certificate expire by forgetting to renew it?

This is where Let’s Encrypt is a real gamechanger since it is accessible through a set of API’s such that the process can be completely automated. The fact that certificates issued by Let’s Encrypt only have a lifetime of 90 days means that automation becomes essential.

Before getting too excited though, there is one thing you should be aware of. Some domain names, including the Azure cloudapp.net, are blacklisted on Let’s Encrypt since they are ephemeral in the sense that the name might belong to you today and someone else tomorrow. Therefore, if you are hosting your NAV service on Azure you will have to use a custom domain name.

Securing your Dynamics NAV Web Client with an SSL certificate

A prerequisite to using Let’s Encrypt is that your Dynamics NAV Web Client is accessible over the Internet. This is required since Let’s Encrypt’s servers will be accessing your site during the process of issuing your certificate to ensure you are the rightful owner of it.

To make the process as simple as possible I recommend using the open source project letsencrypt-win-simple. Go ahead and download the latest release and extract it on your Dynamics NAV web server. Place it in a location where you intend to keep it as it’ll be used for renewal of your certificate later on.

In order for letsencrypt-win-simple to work, you must add a hostname to your Dynamics NAV website’s binding in IIS and change the site to run on port 80. Let’s Encrypt will only connect to your site on port 80 or 443 in order to verify your ownership.

To do so, open Internet Information Services Manager, right click on your Dynamics NAV Web Client site, and select Edit Bindings.

The default Dynamics NAV Web Client installation creates a binding that listens on any hostname on port 8080. Change this to a specific hostname and port 80.

Notice that:

IIS Bindings

Having done that you are now ready to actually request your new SSL certificate.

Open your favourite command prompt (kudos for thinking PowerShell) and navigate to the directory where you extracted letsencrypt-win-simple.

Now run the following command:

letsencrypt.exe

letsencrypt-win-simple should find your Dynamics NAV Web Client as you see below (home.kfuglsang.com in this example):

Installing SSL certificate with letsencrypt-win-simple

Here you can either select the site by its number (1 in this example), or you can choose “A” to request SSL certificates for all websites on your server.

After a short time it will ask you to specify user credentials for a scheduled task that will auto-renew your new SSL certificate. If you simply select “N” your current user will be used for this.

Scheduling certificate renewal

Back in the IIS manager you can verify that your Dynamics NAV Web Client now has an HTTPS binding with a valid certificate expiring in 90 days.

IIS Bindings with HTTPS binding

In the Windows Task Scheduler you will see the scheduled renewal. The task runs every morning to ensure your certificate is always up to date.

All that’s left is to sit back and enjoy never having to manually renew your certificates. In a later post I’ll look into securing other parts of your Dynamics NAV installation using the Let’s Encrypt certificate.

comments powered by Disqus