Install Let’s Encrypt with IIS on Windows Server 2019

Estimated reading time: 4 min

Introduction

Installing SSL on a website is a must these days as it secures the data exchanged between the server and client. It also affects the SEO score as search providers give preferences to the sites having SSL installed. Let’s Encrypt is a non-profit certificate authority that provides free SSL certificates. Almost all browser recognizes Let’s Encrypt certificates as trusted certificates. In this tutorial, we will learn how we can generate and use Let’s Encrypt certificates on a Windows Server 2019 using the IIS web server.

Prerequisites

    • A VPS or  Dedicated Server with Windows Server 2019 installed.
    • You must be logged in via Remote Desktop Protocol as an administrative user.
    • A domain name pointed towards your VPS or Dedicated server. In this tutorial, we will use snelexample.site. Replace all occurrences of snelexample.site with your actual domain name.

Step 1: Install IIS (Internet Information Services)

Open Server Manager by searching Server Manager in Start Menu. Click on Add roles and features link.

Below are the detailed instructions to follow on each tab of Add roles and features wizard.

  • Before You Begin: This tab explains the details of Add roles and feature wizard. You can read it or just click Next to get to the next tab.
  • Installation Type: Choose “Role-based or feature-based installation” and click Next.
  • Server Selection: Select the option “Select a server from the server pool” and click on your server from the list of “Server pool”.
  • Server Roles: Scroll down on the list of roles to find the “Web Server (IIS)”. When prompted for the required features, leave the default options checked and click on Add Features button. Click the Next button.
  • Features: Leave the default options checked here also and click the Next button without making any changes.
  • Web Server Role: Leave the default options checked as we are creating a basic web server only and click Next button for proceeding to the confirmation screen.
  • Confirmation: Review the changes once and click on the Install button to start the installation.

Server Manager Dashboard

Once the installation finishes, you can use a web browser to access http://snelexample.site. You should see the default IIS welcome page.

ISS Windows Server

Step 2: Create Simple HTML Test Site

To install Let’s Encrypt certificate, first, we need to create a site. In this tutorial, we will be creating a very simple demo HTML site. Navigate to the directory C:\inetpub\ and create a new folder with name snelexample.site. Into the folder, create a new file with name index.html and populate it with the following content.

<!DOCTYPE html>
<html>
  <head>
    <title>Demo Site</title>
  </head>
  <body>
    <h1>Hello World</h1>
  </body>
</html>

Snel example site

We are done creating the site. Let’s add it to the IIS server in the next step.

Step 3: Adding Website to IIS

Open the IIS Manager by searching IIS in the search menu. Expand HOST → Sites on the left pane, you will find the default web site. To add a new site in IIS web server, click on the Add website link from the right panel.

Internet Information Services

On Add Website prompt, Provide a Site name to identify your site. Let the value of Application pool remain the same as the Site name. Put the path of the directory where our index.html page resides which we have created in Step 2 of the tutorial. Leave the default value in Binding Type, IP address and Port. Put the actual domain name in Host name field. Click the button OK to add the site and start it.

Add website
Now, you can use a web browser to access http://snelexample.site it again. You should see the example website.

Demo site

Step 4: Download Let’s Encrypt Client

There are many different client applications available for generating Let’s Encrypt certificates. In this tutorial, we will use win-acme client as it is a very simple, open-source and actively developed command-line application. It not only generates the certificates but also installs and renews them automatically.

Download the latest version of the application on the server from its Github release page. On the release page, scroll down to find the assets and download the zip archive with the name win-acme.v2.x.x.x.zip . If you are having trouble using internet explorer, you can follow this tutorial to install Chrome on the server. Once downloaded, extract the application and move it to some safer location for future use.

win acme

Step 5: Generate Let’s Encrypt Certificates

Note: The domain which you are using must be pointed towards your Snel server. Let’s Encrypt will verify it before issuing the certificates.

To generate the Let’s Encrypt certificates, simple run wacs.exe. You may get a message from Windows Defender saying “Windows protected your PC” because we downloaded the application from the internet. Click on “More Info” link and then click on “Run Anyway” button. The application is totally safe to run as it is open source and actively used by many people. You may also need to allow the application if any UAC(User Access Control) prompt comes.

Once the application starts, follow these simple steps.

  • Press N on the initial menu to choose the option to “Create a new certificate”.
  • Next, It will ask you “What kind of certificate would you like to create?”. Enter 1 to choose “Single binding of an IIS site” option.

lets encrypt

  • Now the application will retrieve the list of websites from the IIS server and display it in command prompt. You will see the site we created on step 3 listed there. Press the number shown in front of the site.
  • It will now ask for your email to send you renewal notices. Provide your email address and agree to the terms and conditions.

let's encrypt acme

That’s it. If your domain is pointing to your server, it will successfully generate an SSL certificate for you. It will also add a scheduled task which will automatically renew the certificate when it will be due for renewal. The application will also install the SSL certificate for you.

new let's encrypt certificate

Now, you can access your website using HTTPS, eg. https://snelexample.site  and you should see the connection is secured with a valid certificate.

secure connection

Conclusion

In this detailed tutorial, we have installed the IIS server on Windows server 2019. We also created a demo website and added it into the IIS server. Finally, we generated and installed Let’s Encrypt SSL certificate on the demo website we created.

Was this article helpful?
Dislike 7
Views: 226838

Reader Interactions

Comments

  1. Steven Phan says

    I am hoping you can help me out. Please email me.

    Scenario:
    The issue we are facing is that clients would setup domains in an A record or CNAME like app.customerdomain.com pointed to our domain. That’s on our server like custom.elevatie.com which is binded.

    We generate a certificate but where do we bind it because the certificate generated is for client domain which isn’t binded on our system because they have their CNAME/A Record pointed to our custom.elevatie.com to handle all the requests.

    But if we were to physically bind the domain on the server and apply the certificate then yes we are able to obtain SSL. But this isn’t the case.

    • Yavuz Aydin says

      It looks like you're describing to bind multiple SSL certificates to a single site, this is not possible. You should bind the additional domains to the main domain and add the additional domains as a SAN to the main domain certificate.

  2. BD9000 says

    I couldn't get this to work.
    Is there a website I need to go to to register an account or something?
    Got these 2 messages.
    [EROR] Authorization result: pending
    [EROR] Create certificate failed: Authorization failed

  3. Banshee says

    Does the site need to be public facing prior to generating the cert? My site is currently on port 80, but not exposed. Was trying to generate the cert first then expose the site as https. Is that possible or do I need to open it up on 80 as public facing first?

  4. Juan says

    "" "" "" Yes, it must be public on port 80 for Let's Encrypt to successfully verify the domain. "" ""
    Can you change the port later?
    I don't want the service to be in port 80

  5. Frank says

    Hi, I successfully installed certificates on Windows Server 2016 IIS 10. After each renew of the certificates (30 days before expire) the sites lost the certificate connection and I have to reset the renewed certificate for each page. I installed the certificate with the command-line interface of win-acme v2.1.8.888, now I use win-acme v2.1.10.896.
    Thx, Frank

      • Frank says

        Hi,
        wacs.exe –verbose –target iis –siteid %iissiteid% –emailaddress %email% –accepttos –notaskscheduler –validationmode http-01 –validation filesystem –webroot [path to webroot]

        with %iissiteid% as one of the iis site id and a valid email for %email%

      • Frank says

        … some of the certification create calls used –validationsiteid %iissiteid% instead of –webroot [path to root]
        but all have the same problem on renew the certificates.

  6. Dawesi says

    easier solution if you aren't using server core is 'certify the web'… turnkey windows lets encrypt client, no brainer – great gui and great command line client and windows service.

  7. Axxxxxxxx.Gabxxx says

    Thanks. I had hard time with Certbot before finding your article. I added a reminder in a Google Calendar so in three months time I can come back to this instruction set to renew the certificate. (In case the scheduled renewal by WinAcme fails or if I get here before it is excuted.) Thanks alot.

  8. ibrahim says

    hello it works internally i can browse https site from local server but when trying to connect from outside (windows server 2019 64bit) it give err time out. any solution?

  9. Ian says

    Having an authorization error:

    Authorization result: invalid
    Type: urn:ietf:params:acme:error:dns
    Detail: DNS problem: NXDOMAIN looking up A for [domain] – check that a DNS record exists for this domain

    I added an A record to our DNS server and when I ping/run nslookup from the server that website is on, it resolves fine. Any thoughts?

    • Yavuz Aydin says

      That is possible, anything you can do with the interactive menu can also be done non-interactively. I can see you have created an issue at Github with the same question, you should try the –installationsiteid parameter. Also review the win-acme cli reference.

  10. Felipe Fonseca says

    Hi! I need certificate to my site in intraweb, i.e the site accessed from LAN IP.
    Exists any way to use a "unreal" domain to create certificate?

    Or Any other ideas? Thanks

  11. Murice says

    Thanks for your help

    I have several certificat under "Certify the web", i am not going to renew them for now, but for other domain name do you think i can use win acme alongside ?

Leave a Reply

Your email address will not be published. Required fields are marked *