Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2019 / Installing Free Let’s Encrypt TLS(SSL) Certificates on Windows Server

October 4, 2024

Installing Free Let’s Encrypt TLS(SSL) Certificates on Windows Server

This guide explains how to install free Let’s Encrypt TLS/SSL on a Windows host. We’ll cover how to issue, bind, and renew a certificate for an IIS website, and how to use a Let’s Encrypt certificate to secure connections to RDS services.

Contents:
  • How to Generate and Install a Let’s Encrypt Certificate on Windows IIS
  • Renewing Let’s Encrypt Certificates on Windows
  • Enable HTTP to HTTPS Redirect with IIS URL Rewrite
  • Using Let’s Encrypt Certificates for RDS Gateway and RD Web Access

Let’s Encrypt is an open Certificate Authority (CA) that allows to automatically issue free trusted X.509 cryptographic certificates for TLS (HTTPS) encryption. Only Domain Validation (DV) certificates can be issued with a validity period of 90 days with the option to renew on a scheduled basis.

The Automated Certificate Management Environment (ACME) API is the open Let’s Encrypt API interface that enables automated certificate issuance. The WACS (Windows ACME Simple) tool is the most popular ACME API client implementation for a Windows environment.

How to Generate and Install a Let’s Encrypt Certificate on Windows IIS

If you want to automate installing the Let’s Encrypt TLS certificate on Windows, use the Windows ACME Simple (WACS) command line tool. WACS is a simple command-line wizard that lets you select an IIS site and automatically issue and bind a Let’s Encrypt SSL Certificate.

So, I have a Windows Server 2022 host running an IIS web server and a simple website. The task is to install a TLS certificate from Let’s Encrypt to enable the site to use the HTTPS protocol.

Download the latest WACS client for your architecture from GitHub https://github.com/PKISharp/win-acme/releases. In my case it is win-acme.v2.2.9.1701.x64.pluggable.zip. Extract the archive to a local folder.

download wacs letsencrypt for windows

Run the wacs.exe as an administrator.

WACS requires .NET Framework 4.7.2 or later to be installed.

An interactive wizard will start to help you generate a Let’s Encrypt certificate and bind it to the IIS site. To quickly create a new certificate, select N: — Create certificate (default settings) .

Create new certificate using wacs (Windows ACME Simple) tool

The tool may report that no websites were found:

No websites with host bindings have been configured in IIS. Add one in the IIS Manager or choose the plugin 'Manual input' instead.
Source plugin IIS was unable to generate options.

In this case, open the IIS Management console (inetmgr), open the Site Bindings settings, and verify that the site has a Host Name set. See “How to run multiple sites in IIS with the same port or IP address” for more information about this parameter.

Set hostname in IIS site binding

Select the site number to which you want to issue a certificate.

Then press A to select all site bindings and y to continue.

Press y to accept the terms of the user agreement.

Specify the email address of the person who will be notified if there are problems with certificate renewal and other notifications (or enter multiple emails separated by commas).

let's encrypt http-01 validation on iis webserver

At this stage, Let’s Encrypt Web Services needs to verify that you are the owner of a domain for which the certificate is being issued. By default, HTTP validation is used (http-01 validation, SelfHosting). This is done by launching a small HTTP Challenge Server on the TCP/80 port (if this port is busy, then IIS will be used). Inbound HTTP port 80 must be open in the firewall. The response file will be written to the web server folder \.well-known\acme-challenge\<random_filename> .

If for some reason you are unable to perform ACME HTTP-01 validation, you can use DNS-01 validation. This requires you to create a special TXT record in your domain’s DNS zone. This option is available if you select M: Create certificate (full options) in the first menu of the wacs client. The ACME client checks for this DNS record when validating a domain.

The entire process of enrolling and installing a Let’s Encrypt TLS certificate on IIS is fully automated.

  • The certificate’s private key (*.pem) and the certificate itself (*.pfx) are saved to folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\
  • WACS tool writes detailed logs of all actions to the folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log\

If the domain validation is successful, the tool will retrieve a certificate from the CA, install it in the certificate store, and bind it as an SSL certificate for the target IIS website. If the site already has an SSL certificate installed (for example, a self-signed certificate), it will be replaced with a new one.

Open IIS Manager and navigate to your site’s Bindings settings. Make sure it uses a certificate from R10, Let’s Encrypt Authority.

Binding Lets' encrypt cert to IIS website

This certificate will be trusted if you have kept the Windows Trusted Root Certificates store up to date.

The Let’s Encrypt certificate for IIS is installed in the Web Hosting -> Certificates section of the computer’s certificate store (certlm.msc).

Let's Encrypt certificate installed to cert store on Windows

The unattended wacs.exe command to automatically issue a certificate for an IIS website may look like this:

wacs.exe --target manual --host sample.woshub.com --store certificatestore --validation selfhosting --siteid "MyTestWebSite"

Renewing Let’s Encrypt Certificates on Windows

Because Let’s Encrypt certificates expire after 90 days of validity, they need to be renewed regularly. When a new certificate is generated and installed, the WACS tool creates a separate automatic certificate renewal task in the Windows Task Scheduler.

As you can see, it has a win-acme renew (acme-v02.api.letsencrypt.org) task that runs a command once a day to check the certificate’s expiration date and renew it:

wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

win-acme lets encrypt auto renew scheduler task

The Let’s Encrypt certificate can be renewed after 60 days from the date of issue.

Enable HTTP to HTTPS Redirect with IIS URL Rewrite

Once your IIS site has a TLS certificate installed, you can stop using the insecure HTTP protocol and switch to HTTPS. All HTTP requests to a site can be automatically redirected to an HTTPS URL address using the Microsoft URL Rewrite Module.

Detailed instructions can be found in the following article Redirect HTTP to HTTPS on Windows IIS.

Using Let’s Encrypt Certificates for RDS Gateway and RD Web Access

If you’re using Remote Desktop Gateway or RD Web Access to connect external users to the corporate network, you can install a trusted Let’s Encrypt certificate instead of a default self-signed certificate. Let’s look at how to properly install a Let’s Encrypt certificate to protect Remote Desktop Services connections.

Issue a Let’s Encrypt certificate for the Default Web Site in IIS using the wacs.exe client on the RD Gateway host as described above. This certificate can be manually exported and bound to the RDS services via SSL Binding. But, you’ll have to perform these steps manually every 60 days after your Let’s Encrypt certificate is renewed.

The ACME project provides a PowerShell script to automatically import the Let’s Encrypt cert into the RD Gateway configuration (…\Scripts\ImportRDGateway.ps1). The main disadvantage of this script is that you have to specify the new certificate fingerprint manually:

ImportRDGateway.ps1 <certThumbprint>

To automatically get the certificate thumbprint from a specified IIS site, use the modified ImportRDGateway_Cert_From_IIS.ps1 script (based on the ImportRDGateway.ps1).

You can run this script manually:

powershell -File ImportRDGateway_Cert_From_IIS.ps1

If you have RDS Gateway running on the ‘Default Web Site’ with an index 0, you can use the script as is.

To get the site ID on IIS, open the PowerShell console and run:

Import-Module WebAdministration
Get-ChildItem IIS:Sites|ft -AutoSize

Get-ChildItem IIS - get site list

The ID column shows the index of your IIS site, subtract one from it. In line 27 of the PowerShell script, type the index value that you have instead of 0:

$NewCertThumbprint = (Get-ChildItem IIS:SSLBindings)[0].Thumbprint

change rds gateway site index in powershell script

Now open the win-acme-renew (acme-v02.api.letsencrypt.org) task properties in the Task Scheduler. On the Actions tab, add a new task to run the PowerShell script (ImportRDGateway_Cert_From_IIS.ps1) after the Let’s Encrypt certificate has been renewed.

To avoid changing the PowerShell execution policy settings, you can run the script with the command:

PowerShell.exe -ExecutionPolicy Bypass -File c:\ps\wacs\scripts\ImportRDGateway_Cert_From_IIS.ps1

win-acme-renew - renew cert task and update RDS SSL binding

Now, immediately after the Let’s Encrypt certificate is renewed, the script will bind the SSL certificate to the RDS services and will restart the RD Gateway service:

Restart-Service TSGateway

When the TSGateway service is restarted, all current RDS user sessions are disconnected, so it is recommended that the frequency of the certificate renewal task be changed to once every 60 days.

10 comments
3
Facebook Twitter Google + Pinterest
Windows 11Windows Server 2019Windows Server 2022
previous post
Fix: Photos App in Windows 10 Opens Extremely Slow
next post
Outlook Not Showing Embedded Images in Emails

Related Reading

Protecting Remote Desktop (RDP) Host from Brute Force...

February 5, 2024

How to Install Only Specific Apps in Office...

March 12, 2024

How to Connect L2TP/IPSec VPN Server From Windows

September 22, 2023

How to Run CMD/Program under SYSTEM (LocalSystem) in...

March 11, 2024

Unable to Add/Remove Role: Windows Server Requires Restart

December 4, 2020

How to Run Disk Cleanup (Cleanmgr.exe) on Windows...

March 11, 2024

Fix: DNS Resolution over VPN Doesn’t Work on...

December 27, 2023

Fix RDP Authentication Error: The Function Requested Is...

March 11, 2024

10 comments

Michael Cooper July 17, 2019 - 9:21 am

Hello,

Where would web.config be located? I know I can search for it, I just think it should be mentioned (it’s default location anyway) Thanks great little tutorial.

Reply
John Peter November 27, 2019 - 2:07 pm

Default is in the root of the web directory.
Anywhere else is done by design.

Reply
Steven Phan September 20, 2019 - 5:54 pm

I am hoping you can help me out. Please email me.

Scenario:
The issue we are facing is that clients would setup domains in an A record or CNAME like app.customerdomain.com pointed to our domain. That’s on our server like custom.elevatie.com which is binded.

We generate a certificate but where do we bind it because the certificate generated is for client domain which isn’t binded on our system because they have their CNAME/A Record pointed to our custom.elevatie.com to handle all the requests.

But if we were to physically bind the domain on the server and apply the certificate then yes we are able to obtain SSL. But this isn’t the case.

Reply
Liviu February 12, 2020 - 9:25 am

Is there any way to renew the SSL automatic, 30 days before and not 60 days?

Reply
Anders April 9, 2020 - 5:27 pm

Thanks for the guide,
Do you know if the URL Rewrite will break the ACME automated renewal?

Reply
admin April 14, 2020 - 7:56 am

I have not encountered such cases. Check your IIS and ACME log files.

Reply
Sahand May 6, 2020 - 9:10 pm

Great post
most of free SSLs are 3 months

Reply
Commune May 21, 2020 - 6:30 am

At Windows Server 2016 Essentials
$NewCertThumbprint = (Get-ChildItem IIS:SSLBindings\0.0.0.0!443)[0].Thumbprint
and
$RdsSslCertThumbprint = (Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint).CurrentValue
if ($RdsSslCertThumbprint -ne $CertInStore.Thumbprint)
{
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $CertInStore.Thumbprint -ErrorAction Stop
Restart-Service TSGateway -Force -ErrorAction Stop
"Cert thumbprint set to RD Gateway listener and service restarted"
}

Reply
Scott December 9, 2020 - 4:52 am

I have been getting a error now with the renewals.

Cert thumbprint was not set successfully
Error: Access to the object at RDS:\GatewayServer\SSLCertificate\Thumbprint is denied for the cmdlet Set-Item.The certificate is not valid or you do not have sufficient permissions to perform this operation.

Any ideas what can be causing it?

Reply
L’encryption SSL avec Azure application Gateway – Nouvelles Chroniques d'Amethyste May 23, 2022 - 8:57 pm

[…] un certificat émis par une autorité de confiance. On peut obtenir un certificat gratuit avec Let’s Encrypt ou bien le faire soi-même en PowerShell. C’est la voie que je vais […]

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Booting Windows from GPT Disk on BIOS (non-UEFI) Computer
  • How to Connect L2TP/IPSec VPN Server From Windows
  • Managing Printers and Drivers on Windows with PowerShell
  • Auto-mount VHD/VHDX File at Startup in Windows
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Software RAID1 (Mirror) for Boot Drive on Windows
  • Reduce Large Windows.edb (Windows.db) File Size
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top