Enable HTTPS on the IIS site
The MSI configures the Erde IIS site with an HTTP binding only. For any deployment users reach over a network — and every internet-facing one — add an HTTPS binding with a TLS certificate. This guide covers the IIS hosting shape; if you run Erde as a Windows Service behind a separate proxy, use Put Erde behind a reverse proxy for HTTPS instead.
- Role required: local administrator on the Erde server.
- Prerequisites: Erde is installed in the IIS hosting shape with first-run setup complete. You have a TLS certificate for the server's public host name — already in the Windows certificate store, or a
.pfxfile to import.
Steps
-
Install the certificate on the server if it isn't already there. In IIS Manager, select the server node, open Server Certificates, and Import… your
.pfx— or use a certificate already in the store (a domain-issued or public-CA certificate whose subject matches the host name users type). -
Add an HTTPS binding to the Erde site. In IIS Manager, expand Sites, select Erde, and choose Bindings… → Add…:
Field What to enter Type httpsIP address All Unassigned, or a specific address Port 443(or another port if 443 is in use)Host name The public host name users reach Erde at (recommended) SSL certificate The certificate from step 1 Select OK, then Close.
-
Open the HTTPS port in the firewall. The installer opened only the HTTP port, so add an inbound rule for the HTTPS port on the same network profiles:
New-NetFirewallRule -DisplayName "Erde HTTPS (Domain)" -Direction Inbound -Protocol TCP -LocalPort 443 -Profile Domain -Action AllowNew-NetFirewallRule -DisplayName "Erde HTTPS (Private)" -Direction Inbound -Protocol TCP -LocalPort 443 -Profile Private -Action Allow -
Point Erde at the HTTPS URL. Erde uses its public base URL for host filtering and for the links in password-reset and account-setup emails, so it must match the address users type. Set
Application:PublicBaseUrlinC:\Program Files\Erde\api\appsettings.Production.jsonto your HTTPS URL — for examplehttps://erde.example.com— then recycle the Erde app pool (or runiisreset) so the change takes effect. -
(Optional) Force HTTPS. To stop users reaching the site over plain HTTP, either remove the site's http binding in the same Bindings… dialog, or add an IIS URL Rewrite rule that redirects
httptohttps.
Result
Users reach Erde at https://<host>, and email links point to the same secure address. Because IIS hosts Erde in-process, it passes the HTTPS request straight to Kestrel with the original scheme intact — no forwarded-header configuration is needed. (That configuration applies only to the Windows Service behind a proxy shape, where a separate process terminates TLS.)
Troubleshooting
| Symptom | Cause | Resolution |
|---|---|---|
| The browser warns the certificate is invalid | The certificate's subject/SAN doesn't match the host name, or the client doesn't trust the issuer | Use a certificate whose name matches the host users type, issued by a CA the clients trust |
| HTTPS works on the server but not from other machines | The HTTPS port isn't open in the firewall | Add the inbound rule from step 3 for the HTTPS port on the Domain/Private profiles |
Password-reset or setup emails link to http:// or the wrong host | Application:PublicBaseUrl still points at the old address | Set it to the https:// public URL and recycle the app pool |
| The site returns an error after you add a host name to the binding | The request host doesn't match Application:PublicBaseUrl (host filtering) | Make the binding's host name and PublicBaseUrl agree |
Related
- Hosting: Windows Service vs IIS
- Put Erde behind a reverse proxy for HTTPS — the HTTPS story for the Windows Service shape.
- Install with the MSI
- Complete first-run setup