Alternative of certbot and dns-rfc2136 plugin on Windows


My home network is behind NAT and can't be accessed from public network. So I need to use DNS-01 challenge to get Let's Encrypt certificate. With following combination certificate is successfully obtained and renewed on my home server.

  • certbot
  • dns-rfc2136 plugin
  • BIND9 working on the host connected to public network

Now let's get down to the main topic. Recently I notices that default certificate of Windows remote desktop service isn't valid one and I'd like to replace it with Let's Encrypt certificate. So I checked Window installer of certbot but unfortunately it doesn't include DNS plugins. It means DNS-01 challenge isn't available. Then is there any alternative of certbot and dns-rfc2136 plugin that works on Windows 10?

Best Regards.

Posh-ACME can do it. If you want something with a GUI, Certify the Web can do it as well.

Thank you for quick reply. I'll check them right away.

@_az, you did read the part about

I'm not 100% certain, an LE cert can be used for Windows RDP.

Here is somewhat of how I recall it:
Using Let's Encrypt to secure Windows Remote Desktop connections - Server - Let's Encrypt Community Support

Hi @yasu

I wouldn't do that.

Windows RDP is a working system, self signed certificates are regulary renewed.

Some months, there is a question - "new certificate" - that's all.

I use RDP a long time - there is no need to replace that working configuration with a Letsencrypt certificate.

We successfully use win-acme to get certificates and use them for RDP... I should do a write up but the main gist is:

  • setup win-acme to perform a dns-01 challenge using our custom scripts to create/delete the records on OVH DNS.

  • as a certificate post-installation script, run the following command to update the certificate:

Script: C:\Windows\System32\wbem\WMIC.exe
ScriptParameters: /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="{CertThumbprint}"

NB: it might be necessary to start wacs.exe with the parameter --certificatestore My to select the right certificate store.

1 Like

With win-acme you can setup automation for renewal of the certificate and updating in it in RDP settings. There's no downside that I'm aware of, it automatically sets up a scheduled task to check for renewal twice a day, but only actually runs if the in the last 30 days of validity of the certificate, just like certbot.

1 Like

Yes as noted already is a GUI ACME client that supports all manner of DNS validation (some of which is provided via Posh-ACME) and has a basic built in Task for Deploying to RDP, you can also script your own deployment for custom stuff (

  • New Certificate > Add domain(s) to be included in the certificate
  • on the Authorization tab, select challenge type dns-01, method RFC2136, add new credentials for your server, configure the path to nsupdate exe.
  • Deployment (auto) will store the cert in the local store
  • Hit Request Certificate, if that all validates OK you'll get a new certificate, ready for use.
  • on the Tasks tab, Add a new Deployment Task > Deploy to RDP Listener Service (you may have other requirements in which case you can instead run a custom script). You probably want to follow that up with a Restart Service task to restart your RDP listener (optional). You can also hit any time to run the task and apply the latest cert.

After your first successful request all renewals are automatic.

1 Like

Just to throw more options on the pile. With Posh-ACME and Posh-ACME.Deploy, you can do something like this:

New-PACertificate <more params here> | Set-RDSHCertificate

And similarly on renewal:

Submit-Renewal | Set-RDSHCertificate

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.