How to install Lets Encrypt Certificate with ACME2 on Windows Server
Let’s Encrypt is an exhibitor for free SSL certificates, which went into operation at the end of 2015, the CA certification authority for free certificates is very popular, initially only for Linux, it is now available for Windows. ACME 2 also makes it possible to largely automate the management of SSL/TLS certificates.
ACME 2 package win-acme does not include a setup for installation, after downloading win-acme, the zip-archive can be unpacked on the server to any directory of your choice. The directory should not be modified after that because the path is needed for recertification.
As with the previous version, the current version is a command-line tool with menus, so that it can also be run under Server Core. Win-acme is started by calling wacs.exe.
When you interactively request a certificate with win-acme via Simple Mode, the process is largely the same as with the previous version 1. This example runs ACME 2 on a Windows Server 2019 with the IIS role.
To verify the domain, it configures the binding from the Internet Information Services (IIS) Manager – InetMgr.exe.
After running wacs.exe select N to create a new certificate with the default settings. win-acme searches for the bindings in the IIS. If no bindings are configured, win-acme cancels the operation.
The next step is to select the IIS Web site for which you want to request the certificate.
Then you decide whether all bindings or only certain ones should be used. In the second case, you select them via a filter.
After further confirmation, the certificate request starts. To verify the authority of the domain, win-acme uses the http-01 method. The client receives a token from Let’s Encrypt, which it writes to a file on the local server and which is then read out by Let’s Encrypt.
Let’s Encrypt expects to read the token from the file over HTTP. Therefore, win-acme on the firewall requires the release for port 80 to the server.
The certificate is expected to reside in the server’s certificate store after the operation is successfully completed. In addition, win-acme stores the certificate in PEM and PFX format under the following path.
The authority of the domain for which a certificate is requested must be proven not only at the first issue, but also every 3 months for the renewal of the certificate.
In most common situations, it is not desirable for a server to be permanently accessible from the Internet only to request a certificate without protection on port 80. Here you could consider using a proxy or a temporary port release.
To bypass opening port 80 on the firewall, there is the possibility to choose a different challenge instead of http-01. In particular DNS-01, where the token is entered into the DNS as a TXT record.
This method also has the advantage that you can issue wildcard certificates. The prerequisite for DNS-01 is of course that the domain in question is hosted externally and is therefore accessible for Let’s Encrypt.