Step-by-Step Guide to Getting SSL for Free using LetsEncrypt on Windows IIS

SSL should be simpler and cheaper, and Let’s Encrypt is a great project to make this happen, but it’s biased toward *nix systems. So what do you do if you want to install a free Let’s Encrypt SSL certificate on your Microsoft IIS server?

Well I did this today, and even using LEWS (see below) there does not seem to be a clear step-by-step guide. So having stumbled and googled my way though the process, I thought I’d document it for all.

This approach uses the letsencrypt-win-simple tool (LEWS) to validate and set up the SSL certificates.

A couple of prerequisites. First, you’re going to need to have admin console access to the hosting server – if you don’t have this you won’t be able to follow the simple guide here. Second, the DNS names must already be configured externally, e.g. mysite.example.org should be resolvable to your server on http for this to work.

Assuming you do, here is what you need to do:

  1. Log onto the console of the Windows Server that is hosting the site you want to add SSL to
  2. Run Internet Information Services (IIS) Manager (I’ll call it IISM for short)
  3. Select the site you want to add SSL to in the list of Sites
  4. Click the Bindings button in the menu on the right
  5. Ensure your site has a named http binding in the host name section, even if you only have one site and the hostname is blank (to accept all requests). This is required so that LEWS knows what certificate name to create
  6. Close the bindings dialog box
  7. Download the LEWS client from https://github.com/Lone-Coder/letsencrypt-win-simple/releases – the ZIP file contains the client. This guide was written using version 1.7
  8. Unzip the contents to a folder on the server, e.g. C:\SSL
  9. Start a command prompt in Administrator mode (right click the Command Prompt on Start and select Run as Administrator)
  10. Navigate to the folder you unzipped LEWS to, e.g. cd \ssl
  11. Type the command letsencrypt and press enter
  12. If this is your first time you’ll be prompted to enter your email address to register and accept the EULA .. do this and accept to continue (subsequent runs will bypass this)
  13. You should now have a text menu, with a list of numbered Site Bindings and options for M, A and Q (manual, all and quit)
  14. Select the site (1-9) you want to add SSL to, or use A if you want to do all. If your site does not appear it may be because you forgot to add a host-name binding.
  15. The process will now create a verification file in a subfolder of the site, and use this to try to authorize the SSL certificate (see Note A below).
  16. If this is successful, you should see a confirmation. If you get block of red text this indicates an error.
  17. Assuming it worked, go back to IISM and select “Bindings” on the site – you should now have an SSL (https) binding with a dated certificate name: note that LetsEncrypt certificates are limited to 90 days for security reasons, but of course renewals are free.

Possible problems you might encounter:

Authorization Failures

If you’ve recently added a DNS entry, or recently change DNS configurations (e.g. IP address change) these changes can take time to become effective (lots of systems cache or only update infrequently). This can cause the

Note A

The authorization process creates a subfolder .well-known/acme-challenge and a verification file on your site and the LetsEncrypt service tries to access this static text file using DNS.

For example, if I want to set up SSL for mydomain.example.org it might create a file called 7sYBFMggYCsR3roQ2SqpNkgwXCs8aD1NoXaUnnZDdQ0 and then attempt to access http://mydomain.example.org/.well-known/acme-challenge/7sYBFMggYCsR3roQ2SqpNkgwXCs8aD1NoXaUnnZDdQ0 

Because the default behaviour of IIS is to block extensionless URLs this would normally cause an error, so LEWS also adds a simple web.config file in the acme-challenge folder.

If you still run into issues check the issues for LEWS.