Skip to main content

Enable HTTPS on the IIS site

The MSI configures the Erde IIS site with an HTTP binding only. For any deployment users reach over a network — and every internet-facing one — add an HTTPS binding with a TLS certificate. This guide covers the IIS hosting shape; if you run Erde as a Windows Service behind a separate proxy, use Put Erde behind a reverse proxy for HTTPS instead.

Before you start
  • Role required: local administrator on the Erde server.
  • Prerequisites: Erde is installed in the IIS hosting shape with first-run setup complete. You have a TLS certificate for the server's public host name — already in the Windows certificate store, or a .pfx file to import.

Steps

  1. Install the certificate on the server if it isn't already there. In IIS Manager, select the server node, open Server Certificates, and Import… your .pfx — or use a certificate already in the store (a domain-issued or public-CA certificate whose subject matches the host name users type).

  2. Add an HTTPS binding to the Erde site. In IIS Manager, expand Sites, select Erde, and choose Bindings… → Add…:

    FieldWhat to enter
    Typehttps
    IP addressAll Unassigned, or a specific address
    Port443 (or another port if 443 is in use)
    Host nameThe public host name users reach Erde at (recommended)
    SSL certificateThe certificate from step 1

    Select OK, then Close.

  3. Open the HTTPS port in the firewall. The installer opened only the HTTP port, so add an inbound rule for the HTTPS port on the same network profiles:

    New-NetFirewallRule -DisplayName "Erde HTTPS (Domain)" -Direction Inbound -Protocol TCP -LocalPort 443 -Profile Domain -Action Allow
    New-NetFirewallRule -DisplayName "Erde HTTPS (Private)" -Direction Inbound -Protocol TCP -LocalPort 443 -Profile Private -Action Allow
  4. Point Erde at the HTTPS URL. Erde uses its public base URL for host filtering and for the links in password-reset and account-setup emails, so it must match the address users type. Set Application:PublicBaseUrl in C:\Program Files\Erde\api\appsettings.Production.json to your HTTPS URL — for example https://erde.example.com — then recycle the Erde app pool (or run iisreset) so the change takes effect.

  5. (Optional) Force HTTPS. To stop users reaching the site over plain HTTP, either remove the site's http binding in the same Bindings… dialog, or add an IIS URL Rewrite rule that redirects http to https.

Result

Users reach Erde at https://<host>, and email links point to the same secure address. Because IIS hosts Erde in-process, it passes the HTTPS request straight to Kestrel with the original scheme intact — no forwarded-header configuration is needed. (That configuration applies only to the Windows Service behind a proxy shape, where a separate process terminates TLS.)

Troubleshooting

SymptomCauseResolution
The browser warns the certificate is invalidThe certificate's subject/SAN doesn't match the host name, or the client doesn't trust the issuerUse a certificate whose name matches the host users type, issued by a CA the clients trust
HTTPS works on the server but not from other machinesThe HTTPS port isn't open in the firewallAdd the inbound rule from step 3 for the HTTPS port on the Domain/Private profiles
Password-reset or setup emails link to http:// or the wrong hostApplication:PublicBaseUrl still points at the old addressSet it to the https:// public URL and recycle the app pool
The site returns an error after you add a host name to the bindingThe request host doesn't match Application:PublicBaseUrl (host filtering)Make the binding's host name and PublicBaseUrl agree