Best ACME Client for Windows Server

Hi Folks,

I’ve just tested the certbot beta installer for Windows Server 2012 R2, which has its limitations. For example, it doesn’t do automated integrations yet for IIS/RDP etc, and it doesn’t support DNS plugins (route53 is needed in my case), which is required.

With that said, what does the general community recommend for a stable, support ACME client for windows server that has dns-route53 plugin support? Also, does anyone know when dns-plugins will be available for certbot?

-The Col

As you’ve found, Certbot’s Windows support is still pretty new. The Let’s Encrypt clients page has a number of fine alternative options. I’d guess just about all of them that have DNS support at all have a Route53 plugin.

I’m partial to Posh-ACME as the author. It has a ton of DNS plugins built-in. But it’s definitely geared towards those already comfortable with using PowerShell and needs a sister module, Posh-ACME.Deploy, to handle the deployment of the certs to various services.

If you’re looking for a more traditional CLI client, win-acme is also popular. Certify the Web is a really nice GUI client and has paid support options if you want/need that. It can also now natively use Posh-ACME’s DNS plugins.

Give a few of them a try and see what you like. I don’t really think there’s a “best” client because everyone has different needs.

1 Like

Thanks, Ryan. I was eyeing posh-acme and would prefer using something built using powershell as it’s major building block. I assume you can use iam roles for the dns-route53 plugin, and also, do you have any automation built into importing certificates into rdp gateways/listeners?

Yep, IAM Roles are totally supported. The plugin’s usage guide is actually pretty extensive and provides instructions on setting up a limited access policy and the IAM role for those who aren’t as familiar with how AWS permissions work.

Posh-ACME.Deploy is where all the deployment stuff lives. There are scripts for RDSH in standalone mode and RDGW. But I don’t have anything included for the full RD Farm config yet. Happy to work with anyone to add it though.

1 Like

Thanks…I played around with it; my testing boxes are win2k12R2 , win2k2016, and win2k2019. For anything not having powershell version 5 and the windows management framework installed (effectively win2k12R2) natively, I received a ton of module errors for nuget etc.

Per the readme, you definitely need WMF/PS 5.1 and .NET 4.7.1 or later. You can ignore the .NET requirements for PowerShell 6+. If for some reason you can’t upgrade to .NET 4.7.1, there’s also a custom build that works with .NET 4.6.1, but you can’t use it with PS 6+ and you lose support for ECC based certs.

If the nuget errors were associated with installing the module from PowerShell gallery, you also likely need to follow the guidance in this MS blog post:

Well, I guess I should tout the app I develop Certify The Web: :slight_smile:

There are several fine command line and scripting based solutions as you will already have seen but I’m pretty confident we’re the best GUI for ACME/Let’s Encrypt currently in existence (although I’m obviously biased as the author). The source is available on GitHub, it has free and paid versions and it’s my full-time job so there’s commercial support for companies that want it. In turn we sponsor some of the other ACME clients, because we’re all in it together!

There are many bundled DNS providers (some of which are via Posh-ACME, but route53 is native), there are also many bundled Deployment Tasks and IIS etc is a built in target that the UI has been optimized for.

For simple IIS stuff the process is click New Certificate > Select IIS Site > Request Certificate and everything then works automatically and it adds/update https bindings etc as required. It can do a whole lot more than that, but that’s the basics. Questions etc here:

CTW was first established in late 2015 and is now used by hundreds of thousands of organisations around the world.

1 Like

Thank you for this information.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.