Introduction
Installing SSL on a website is a must these days as it secures the data exchanged between the server and client. It also affects the SEO score as search providers give preferences to the sites having SSL installed. Let’s Encrypt is a non-profit certificate authority that provides free SSL certificates. Almost all browser recognizes Let’s Encrypt certificates as trusted certificates. In this tutorial, we will learn how we can generate and use Let’s Encrypt certificates on a Windows Server 2019 using the IIS web server.
Prerequisites
- A VPS or Dedicated Server with Windows Server 2019 installed.
- You must be logged in via Remote Desktop Protocol as an administrative user.
- A domain name pointed towards your VPS or Dedicated server. In this tutorial, we will use snelexample.site. Replace all occurrences of snelexample.site with your actual domain name.
Step 1: Install IIS (Internet Information Services)
Open Server Manager by searching Server Manager in Start Menu. Click on Add roles and features link.
Below are the detailed instructions to follow on each tab of Add roles and features wizard.
- Before You Begin: This tab explains the details of Add roles and feature wizard. You can read it or just click Next to get to the next tab.
- Installation Type: Choose “Role-based or feature-based installation” and click Next.
- Server Selection: Select the option “Select a server from the server pool” and click on your server from the list of “Server pool”.
- Server Roles: Scroll down on the list of roles to find the “Web Server (IIS)”. When prompted for the required features, leave the default options checked and click on Add Features button. Click the Next button.
- Features: Leave the default options checked here also and click the Next button without making any changes.
- Web Server Role: Leave the default options checked as we are creating a basic web server only and click Next button for proceeding to the confirmation screen.
- Confirmation: Review the changes once and click on the Install button to start the installation.
Once the installation finishes, you can use a web browser to access http://snelexample.site
. You should see the default IIS welcome page.
Step 2: Create Simple HTML Test Site
To install Let’s Encrypt certificate, first, we need to create a site. In this tutorial, we will be creating a very simple demo HTML site. Navigate to the directory C:\inetpub\
and create a new folder with name snelexample.site
. Into the folder, create a new file with name index.html
and populate it with the following content.
<!DOCTYPE html> <html> <head> <title>Demo Site</title> </head> <body> <h1>Hello World</h1> </body> </html>
We are done creating the site. Let’s add it to the IIS server in the next step.
Step 3: Adding Website to IIS
Open the IIS Manager by searching IIS in the search menu. Expand HOST → Sites on the left pane, you will find the default web site. To add a new site in IIS web server, click on the Add website link from the right panel.
On Add Website prompt, Provide a Site name to identify your site. Let the value of Application pool remain the same as the Site name. Put the path of the directory where our index.html
page resides which we have created in Step 2 of the tutorial. Leave the default value in Binding Type, IP address and Port. Put the actual domain name in Host name field. Click the button OK to add the site and start it.
Now, you can use a web browser to access http://snelexample.site
it again. You should see the example website.
Step 4: Download Let’s Encrypt Client
There are many different client applications available for generating Let’s Encrypt certificates. In this tutorial, we will use win-acme client as it is a very simple, open-source and actively developed command-line application. It not only generates the certificates but also installs and renews them automatically.
Download the latest version of the application on the server from its Github release page. On the release page, scroll down to find the assets and download the zip archive with the name win-acme.v2.x.x.x.zip
. If you are having trouble using internet explorer, you can follow this tutorial to install Chrome on the server. Once downloaded, extract the application and move it to some safer location for future use.
Step 5: Generate Let’s Encrypt Certificates
Note: The domain which you are using must be pointed towards your Snel server. Let’s Encrypt will verify it before issuing the certificates.
To generate the Let’s Encrypt certificates, simple run wacs.exe
. You may get a message from Windows Defender saying “Windows protected your PC” because we downloaded the application from the internet. Click on “More Info” link and then click on “Run Anyway” button. The application is totally safe to run as it is open source and actively used by many people. You may also need to allow the application if any UAC(User Access Control) prompt comes.
Once the application starts, follow these simple steps.
- Press N on the initial menu to choose the option to “Create a new certificate”.
- Next, It will ask you “What kind of certificate would you like to create?”. Enter 1 to choose “Single binding of an IIS site” option.
- Now the application will retrieve the list of websites from the IIS server and display it in command prompt. You will see the site we created on step 3 listed there. Press the number shown in front of the site.
- It will now ask for your email to send you renewal notices. Provide your email address and agree to the terms and conditions.
That’s it. If your domain is pointing to your server, it will successfully generate an SSL certificate for you. It will also add a scheduled task which will automatically renew the certificate when it will be due for renewal. The application will also install the SSL certificate for you.
Now, you can access your website using HTTPS, eg. https://snelexample.site
and you should see the connection is secured with a valid certificate.
Conclusion
In this detailed tutorial, we have installed the IIS server on Windows server 2019. We also created a demo website and added it into the IIS server. Finally, we generated and installed Let’s Encrypt SSL certificate on the demo website we created.
Steven Phan says
I am hoping you can help me out. Please email me.
Scenario:
The issue we are facing is that clients would setup domains in an A record or CNAME like app.customerdomain.com pointed to our domain. That’s on our server like custom.elevatie.com which is binded.
We generate a certificate but where do we bind it because the certificate generated is for client domain which isn’t binded on our system because they have their CNAME/A Record pointed to our custom.elevatie.com to handle all the requests.
But if we were to physically bind the domain on the server and apply the certificate then yes we are able to obtain SSL. But this isn’t the case.
Yavuz Aydin says
It looks like you're describing to bind multiple SSL certificates to a single site, this is not possible. You should bind the additional domains to the main domain and add the additional domains as a SAN to the main domain certificate.
BD9000 says
I couldn't get this to work.
Is there a website I need to go to to register an account or something?
Got these 2 messages.
[EROR] Authorization result: pending
[EROR] Create certificate failed: Authorization failed
Ahmet Bas says
There is no registration required.
Banshee says
Does the site need to be public facing prior to generating the cert? My site is currently on port 80, but not exposed. Was trying to generate the cert first then expose the site as https. Is that possible or do I need to open it up on 80 as public facing first?
Yavuz Aydin says
Yes, it needs to be public facing on port 80 for Let's Encrypt to successfully verify the domain.
Juan says
"" "" "" Yes, it must be public on port 80 for Let's Encrypt to successfully verify the domain. "" ""
Can you change the port later?
I don't want the service to be in port 80
Yavuz Aydin says
Due to how the ACME protocol works for validating domains through HTTP this is impossible for http validation mechanisms. You need to look into dns validation mechanisms but this is out of scope for this article.
Aram says
Thank you very much. Works perfectly! This tutorial saved me a lot of time and money
Stanley says
Good stuff. This got me set in under 5 minutes.
Kumar says
Thank you very much, it's very clear and worked like a charm for my website
Ian says
Fantastic!! Worked like a charm for me!!
Scott says
Will this application work for a windows based apache server?
Ahmet Bas says
To which application are you referring to? We also have an article for Windows with Apache 2.4 did you check that out already?
Frank says
Hi, I successfully installed certificates on Windows Server 2016 IIS 10. After each renew of the certificates (30 days before expire) the sites lost the certificate connection and I have to reset the renewed certificate for each page. I installed the certificate with the command-line interface of win-acme v2.1.8.888, now I use win-acme v2.1.10.896.
Thx, Frank
Ahmet Bas says
Could you share more information about the steps you used for command line
Frank says
Hi,
wacs.exe –verbose –target iis –siteid %iissiteid% –emailaddress %email% –accepttos –notaskscheduler –validationmode http-01 –validation filesystem –webroot [path to webroot]
with %iissiteid% as one of the iis site id and a valid email for %email%
Frank says
… some of the certification create calls used –validationsiteid %iissiteid% instead of –webroot [path to root]
but all have the same problem on renew the certificates.
Dawesi says
easier solution if you aren't using server core is 'certify the web'… turnkey windows lets encrypt client, no brainer – great gui and great command line client and windows service.
Axxxxxxxx.Gabxxx says
Thanks. I had hard time with Certbot before finding your article. I added a reminder in a Google Calendar so in three months time I can come back to this instruction set to renew the certificate. (In case the scheduled renewal by WinAcme fails or if I get here before it is excuted.) Thanks alot.
Deon Lubbe says
Just Brilliant. Thank you so much.
ibrahim says
hello it works internally i can browse https site from local server but when trying to connect from outside (windows server 2019 64bit) it give err time out. any solution?
ibrahim says
it was a firewall issue now it is solved. thanks for the article.
Ian says
Having an authorization error:
Authorization result: invalid
Type: urn:ietf:params:acme:error:dns
Detail: DNS problem: NXDOMAIN looking up A for [domain] – check that a DNS record exists for this domain
I added an A record to our DNS server and when I ping/run nslookup from the server that website is on, it resolves fine. Any thoughts?
Ian says
To add to this, I am using an internal domain that has no A records on the public internet. Only accessible internally. Is this the problem? Can this not be used for private domains?
Ahmet Bas says
If you want to issue a let's encrypt certificate you can not use a internal domain.
Fanny says
I get 503 error in Windows Server Core 2019
Yavuz Aydin says
Can you send the complete output?
Salam says
Thanks for this post, can you please tell me how to renew a lets encrypt certificate?
Yavuz Aydin says
win-acme automatically adds a task to the task scheduler to renew!
Emil says
but how binding the site automatically from command line without interaction of user?
Yavuz Aydin says
That is possible, anything you can do with the interactive menu can also be done non-interactively. I can see you have created an issue at Github with the same question, you should try the –installationsiteid parameter. Also review the win-acme cli reference.
Felipe Fonseca says
Hi! I need certificate to my site in intraweb, i.e the site accessed from LAN IP.
Exists any way to use a "unreal" domain to create certificate?
Or Any other ideas? Thanks
Yavuz Aydin says
If you access the site through a domain (i.e. intranet.yourdomain.com) you can request a Let's Encrypt Certificate with DNS authentication. However this exercise is out of the scope of this article.
Murice says
Thanks for your help
I have several certificat under "Certify the web", i am not going to renew them for now, but for other domain name do you think i can use win acme alongside ?
Yavuz Aydin says
Yes, definitely!