Today most of the websites are secured using SSL and its good for SEO. Normally we get SSL certificated from Certificate Authority (CA).  So if we need to enable https for our website hosted on a Windows server we need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a certificate authority that provides free SSL certificates for our website names . More details about Let’s Encrypt can be get from their official website.

Let’s Encrypt uses the ACME protocol to verify that we control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll need to choose a piece of ACME client software to use. Another point about Lets Encrypt certificates is they set to  expire after 90 days.

One of the Most popular ACME client used to issue SSL certificate from Lets Encrypt is Certbot client. This is only ACME clients recommended by Lets Encrypt. We can also try out other ACME clients available. No issues with that.

Let’s focus on how we can install SSL certificate for a website hosted on a windows server having IIS.  

Make sure IIS is preinstalled in the server and  already have a Live website created in through IIS and loading fine from the server. If not, lets Install IIS and create a website in it. In this article we use Windows server 2019.  You can also refer this article if you had a Windows Server 2012 or 2016.

Install IIS in Windows Server 2019

Open server Manager >> Add Roles and features >> Click Next

Choose Role based or feature based installation.

Choose our server from the server pool

Choose IIS and confirm the features from the popup window

Leave feature, Web server role selection as the default one and click next.

Tick the restart the destination server automatically option from the confirmation window.

Click install

This completes the IIS install. Now lets create website through IIS

Crete Website In IIS

Open IIS manager >> Right click on Server Name and click “Add website” option

In the site name filed, give our website name. In this article, we gave our sample website name.

Choose the physical path as ” C:\inetpub\wwwroot”. You can also choose your desired directory for placing the website files. Normally it will be ” C:\inetpub\wwwroot”.

In the hostname filed give our website name again. In our case its  “certbot.supporthost.in”

Leave other settings as it is and Click “Ok” button.

This concludes the creation of website through IIS Manager. Now we can  test the working of the website by creating a test page at folder ” C:\inetpub\wwwroot” and Visit the url in the browser and make sure the test page is loading.

Now its the time for purchasing and Installing SSL for our website. So as we said earlier, there are different ACME clients available for issue Lets Encrypt SSL for our website.

Two methods we are discussing in this article.  We only have to follow either of them.

  1. Using certbot ACME client for issuing SSL
  2. Using letsencrypt-win-simple ACME Client

Installation of certbot ACME client On Windows

Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe.

Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86)

Click Install.

This completes the certbot install. Now lets test it.

open Windows cmd and issue  command “certbot –help”.  The result will look like below.

Issue SSL Certificate Using Certbot

Stop IIS service from the IIS manager or through the Windows services section.

Issue Below command in Windows cmd

certbot certonly –standalone –register-unsafely-without-email

Agree the terms and conditions by typing A

enter our domain name

The certbot will issue the SSL and it will automatically saved to location C:\Certbot\live\certbot.supporthost.in\. 

Currently, Certbot for Windows cannot automate the installation of this issue SSL in IIS. Future versions will be able to automate it for specific web-server applications. So we need to install this certificate manually through IIS manager.  So start the IIS service again and lets import this SSL certificate to IIS.

For that we need to convert the PEM formated SSL certificate file into pfx one. PFX is the SSL file type supported by IIS.

We can either use online PEM to PFX converter tools or openssl commands like below.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

We are not discussing the convert steps  and we assume that you have the PFX version SSL certificate on your hand and its ready to import through IIS.

Import & Install SSL in IIS.

Open IIS manager and under server, click on “server certificates” click import

Browse our file and leave other settings as it is.

Click ok. Now you will see the certificate is available in Server certificate section.

After that go to our sites section. Click on bindings.

Click Add

choose type as “https”

In the hostname filed enter our domain name as “certbot.supporthost.in”

Choose our certificate from SSL certificate

tick requre server name indication

Click Ok’

This concludes the SSL install. Verify the SSL working by browsing your website over https  in the browser.

Now we can also try implement SSL using another ACME Client for Windows. Follow below steps for the second method. Other wise, it conclude the install of Lets Encrypt SSL in a Windows Server.

SSL Install Using letsencrypt-win-simple ACME Client

Download the letsencrypt-win-simple (A Simple ACME Client for Windows) from the below github repository.

https://github.com/Lone-Coder/letsencrypt-win-simple/wiki
https://github.com/Lone-Coder/letsencrypt-win-simple/releases

  • Unzip files to a folder where you remember the path so that it can run for renewals.
  • Run letsencrypt.exe with administrator privileges from cmd. The command I used is letsencrypt.exe –san
  • Type  the email address and hit enter
  • Type “Y” and hit enter at the agreement level.
  • Screenshot of above steps are show below.

Issue SSL for domain

  • The app will scan for the sites already published in IIS and will give us a result with a numeric number
  • Type corresponding number at the field “Which host do you want certificate for” and hit enter. In my case the number was 8.
  • At this stage I have got an error as “ Authorization result invalid “

The ACME server was probably unable to reach http://yourwebsitename.com/.well-known/acme-challenge /4EC0TjwATWTgctVEaq1HkKFytk-To69o-gFEqd9OMFs

Possible causes.

This could be caused by IIS not being setup to handle extension-less static files.

Here’s how to fix that:

  1. In IIS manager goto Site/Server->Handler Mappings->View Ordered List
  2. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
  3. If you need to make changes to your web.config file, update the one at C:\Users\Administrator.SE354ACCU7357\Downloads\letsencrypt-win-simple.V1.9.1\web_config.xml
  4. So I hit enter and opened IIS manager and goes to Site/Server->Handler Mappings->View Ordered List
  5. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
  6. Above steps screenshots are given below.

Error while running Let's Encrypt script.

IIS service

  • Once the IIS settings are done, start over the steps from beginning by executing the command letsencrypt.exe –san and at this point we haven’t got any error at the authorisation result section.
  • The certificates got installed but I got a warning as below.

The HTTP binding is IP specific; the app can create it. However, if you have other HTTPS sites they will all get an invalid certificate error until you manually edit one of their HTTPS bindings.  You need to edit the binding, turn off SNI, click OK, edit it again, enable SNI and click OK. That should fix the error. Otherwise, manually create the HTTPS binding and rerun the application. You can see https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/HTTPS-Binding-With-Specific-IP for more information.

  • I acknowledged the same by typing “Y” and hit enter.
  • I type “N” at the field “Do you want to specify the user the task will run as?” and hit enter.
  • This would successfully completed the SSL install using Let’s Encrypt.
  • Hit enter again to exit the app command line.
  • Take a look at the below screenshot for the above steps.

Screenshot of Let's encrypt Implementation

Conclusion

In this tutorial, we discussed about how to install Lets Encrypt in a Windows based servers. We also discussed few errors we faced. Leave your thoughts at the comment box.