How to Install Let’s Encrypt on Windows Server 2019

Section 1. Install IIS in Windows Server 2019

Refer this section if your Windows server 2019 doesn’t have IIS preinstalled. Otherwise move to next section.

For installing IIS first log into your Windows server 2019 and Open server Manager from Windows Start

Click Add Roles and features from Server Manager.

The Add Roles And Features Wizard will open. Click Next on it.

Choose Role based or feature based installation. Click Next.

Choose “select a server from the server pool” option. Select Our own server from the below list and Click Next

Choose Webserver ( IIS ) server role. A popup windows will appear for add features. Confirm it by clicking “Add Features” option.

Leave features section as it is and click Next.

Click Next on Web Server Role section.

Leave Web Server Role services selection section as it is. Click Next.

Finalise the install by clicking the install button.

Wait for few minutes. We will get a message as “Installation Succeeded” . Click Close.

This completes the IIS install. Now lets move to the next section which is creating a  website through IIS.

Section 2. Crete Website In IIS

If your website is already created through IIS Manager, skip this section and move to next section.

Now for creating a website first Open IIS manager from Server Manager itself. Choose IIS >> Right click at our Server Name and choose “Internet Information Services ( IIS) Manager”

From IIS Manager, Right click on Server Name and click “Add website” option

In the site name filed, give your website name. In this article, we gave  the name as certbot.supporthost.in

Choose the physical path as ” C:\inetpub\wwwroot”. You can also choose your desired directory for placing the website files. Normally it will be ” C:\inetpub\wwwroot”.

In the hostname filed give your website name again. In our case its  “certbot.supporthost.in”

Leave other settings as it is and Click “Ok” button.

This concludes the creation of website through IIS Manager. Now we can  test the working of the website by creating a test page at folder ” C:\inetpub\wwwroot” and Visit the url in the browser and make sure the test page is loading.

Here I created a index.html page under document root with a text content. After that visited the url certbot.supporthost.in in the web browser. It worked and showed the exact content I added in the index.html page.

At this point our Windows Server 2019 is installed with IIS and website is created through IIS manager.  Also we are ready to issue Lets Encrypt SSL/TLS certificate for our website. So lets see how this can be done on next section.

Section 3. Issuing SSL/TLS Certificate for Website

Now its the time for purchasing and Installing  free SSL/TLS for our website. So as we said earlier, there are many different ACME clients available for issue Lets Encrypt SSL for our website.

Out of from that here we discuss two methods  for issuing SSL/TLS certificate for our website, which are given Below.  We only have to follow either of them.

a. Using certbot ACME client for issuing SSL

b. Using win-acme Client

Section 3 a . Installation of certbot ACME client On Windows

In this section we are installing the certbot ACME client. For that first Download the certbot ACME exe file by visiting the below url on the web browser.

After downloading got completed, run the installer by double clicking on the install file. The installer wizard will open and click Next.

The installer will propose a default installation directory, C:\Program Files(x86)\Certbot . Leave it as it is and Click On Install.

After completing the install, Click Finish.

This completes the certbot ACME package install. Now lets test it. For that , open Windows cmd, and type below command.

The result will look like below.

This confirmed that, certbot ACME client is installed successfully. Now lets move to the next section.

Section 3 a. Issue SSL Certificate Using Certbot

In this section we are issuing SSL certificate for our website. For that first Stop IIS service from the IIS manager  itself or through the Windows services section.

Then Issue Below command in Windows cmd

Agree the terms and conditions by typing Y

Enter our domain name that we wish to issue SSL certificate. Here I entered as certbot.supporthost.in

The certbot successfully issued the SSL/TLS certificate and Private key along with intermediate certificate.  Also the issued certificates will get automatically saved to location C:\Certbot\live\certbot.supporthost.in\ folder.

This completed issuing of SSL/TLS certificate for our website. Start the IIS service again and now lets move to the next section.

Section 3 a. Import & Install SSL Using IIS Manager.

Currently, Certbot for Windows cannot automate the installation of adding SSL certificate  in IIS. Future versions will be able to automate it for specific web-server applications. So we need to import this certificate manually through IIS manager.

For that we need to convert the PEM formatted SSL certificate file we got from certbot ACME client  into pfx one. PFX is the SSL file type supported by IIS.

We can either use online PEM to PFX converter tools or openssl commands like below.

We are not discussing the convert steps  further and we assume that you have the PFX version SSL certificate on your hand and its ready to import through IIS manager. In our case the SSL/TLS certificate file name is cert.pfx

Now Open IIS manager and under server, click on “server certificates” click import.

From the import window, provide our cert.pfx file location on certificate file field.

Leave as blank on password filed.

Select the Certificate store as Personal

Leave other settings as it is and Click OK.

Now we can see our certificate is successfully imported and its available under  IIS “server certificates” section.

After that from IIS Manager itself, go to our sites section. Click on bindings.

Click “Add” in the “site binding ” window

A new “Add site binding” window will open. From there.

Choose type as https

In the hostname filed enter our domain name as “certbot.supporthost.in”

Choose our certificate from SSL certificate

Enable  require server name indication

Leave all other settings as it is and click OK.

This concludes the SSL install. Verify the SSL working by browsing your website over https  in the browser.

Also if we go the Windows Certificate Manager by issue command  “certlm.msc ” on Windows run. After that expand “personal” >> Certificates. We will able to see our imported Lets Encrypt SSL is available.

Another thing is if we open windows task scheduler, we will able to see a windows task named “Certbot Renew” got created. This task will automatically run when the Already issued Lets Encrypt is going to expire.  So  in short we don’t have to worry about manually renew the certificate on expire.

In our case we used the standalone authentication on a machine where port 80 is normally in use for issuing SSL certificate, In such cases we want to edit the built-in command to add the –pre-hook and –post-hook flags to stop and start our IIS  web-service automatically for successfully renewing SSL/TLS certificates.

For that , choose “Certbot Renew” tab >> Choose Properties >> Click Actions tab >> Click Edit.

In  ” Add Arguments” section add command like below.

Now, we can also test out the working of this command by issuing it on windows cmd. Once issues normally we will get the message as the certificate is not due for renewal.

Now we can also try implementing SSL using another ACME Client for Windows. Follow below steps only if you don’t like first method we discussed . Other wise, it conclude the install and settings up of Lets Encrypt SSL in a Windows Server 2019.

Section 3 b. SSL Install Using win-acme Lets Encrypt Client

win-acme  is a ACMEv2 client for Windows that aims to be very simple to use. It has a very simple interface to create and automatically install certificates on a IIS server.

Only Follow this section if you don’t want to use certbot ACME client SSL issue which we discussed in above section.

Now first thing is Download the win-acme package from their official website which is www.win-acme.com

Extract the zip folder that downloaded and save it where you needed. In my case I saved it in Downloads folder itself.  After that go the direction and double click “wacs.exe"

win-acme interface will open and it will look like below.

For creating certificate we need to type “N”

win-acme client will scan our live websites from IIS and will show the results. Now we need to select our website by imputing the site identifier number that shows by win-acme client itself. In our case the number is “2”. So I entered “2”

Now choose our website binding again by entering the corresponding number. In my case it was “1”

Confirm the selection by typing “yes”

Agree the terms and conditions by typing “yes”

Enter our email address for communication.

The SSL/TLS certificate will issue for our website. It will be stored under “Web Hosting” section from windows certificate Manager.  After that the https binding will automated get created for the website with the new  lets encrypt certificate. Also the win-acme client will automatically schedule the renewal too.

Okay, this completes the Lets Encrypt SSL install using win-acme client. Now we can quit the console by typing “Q”

Also if we go the Windows Certificate Manager >> Expand “Web Hosting” and Certificates, we will see our certificate is already imported.

Also, if we go the folder “C:\\ProgramData\\win-acme\\acme-v02.api.letsencrypt.org”\certificates” , we will see the issued certificate files are stored in it.

Now we can also test our the SSL certificate renewal by running the “wacs.exe” file again.

Type “A” for manage renewals

We will get a list of all lets encrypt SSL certificates in the server.  Enter the corresponding number for the SSL certificate that we wish to renew. In our case its “2”

Now run the renewal by typing “R”

We will see renewal is running. once completed quit the console by typing “Q”

This completes the issue of free Lets Encrypt  SSL/TLS certificate using win-acme Lets Encrypt Client. After this if we visit our website on web browser it will be secured with new Lets Encrypt SSl/TLS certificate we issued.