Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version): IIS10 v10.0.20348.1
The operating system my web server runs on is (include version): Server 2022 (OS Build 20348.3932
My hosting provider, if applicable, is: Self Hosted
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): winacme 2.2.9.1701
The version of my client is (e.g. output of n or certbot-auto --version if you're using Certbot): winacme 2.2.9.1701
I have checked that Firewall port 443 is open and confirmed that our domain is forwarding correctly and directly to our IIS Server. Internal access to the web site is working fine. Any help would be much appreciated. Thanks.
Let's Encrypt also supports the TLS-ALPN-01 challenge (Challenge Types - Let's Encrypt) which does operate over port 443, however it requires support from your server and I'm not sure how to setup TLS-ALPN-01 on IIS.
There is also a DNS Challenge which can be automated if your DNS provider has an API to add/delete the needed TXT record.
Not sure that NetSol offers that but perhaps you could switch to one that does. It also needs to be supported by the ACME Client you use. Note the principal maintainer of win-acme no longer supports that but offers simple-acme instead: simple-acme
Looks like this validation is near impossible to setup in IIS as it requires exclusive access to port 443 which would bring all our sites down whenever renewing.
I will have a look at configuring DNS-01 validation which might be a better option. Thanks again for your amazing help! So much appreciated!
Looks like your DNS is on Network Solutions, you may need to move it to one with a supported API. Different ACME clients support different DNS providers but I don't think Network Solutions is supported by any of them, because they don't appear to have a usable API.
If possible consider moving DNS to something that can be easily automated like Cloudflare or AWS Route 53 etc. You can still use the same domain registrar, it's the DNS hosting that's the issue.
Regarding port 80 - ports don't have security problems, it's the services that listen on them that do. You do not need to have a port 80 binding in IIS for http domain validation to work because windows specific acme clients generally have built in temporary self-hosting for domain validation responses (using temporary http.sys listeners).
You can also delegate the relevant _acme-challenge DNS labels to a secondary DNS service.
Similarly, you only need port 80 to be listening during the ephemeral on-demand domain validation. Many people use pre/post hooks that toggle firewall rules to achieve this.
tldr; there are lots of ways to implement your options.