How Letsencrypt work for windows IIS?


If you host on Azure, I’ve put together a step-by-step walk through on how to obtain a Let’s Encrypt certificated for Azure Web Apps.

You can find the post at


Just installed downloaded and installed Certify (v0.9.71) to a Windows Server 2012 R2 server. Asked it to create a certificate for one of the sites, and it comes back with a dialogue box saying “Certification was not successful. Certificate not valid or not yet authorized.” The log tab does not show any obvious errors. When I look in the file system, I can see the .well-known/acme-challenge folders under the website, and when I manually browse to the challenge file from another machine I am presented with the contents of the file.

Any suggestions? What am I doing wrong?


Certify still can’t normal work. I had test it.


Hi All,

I have just found out the Letsencrypt certificate on Windows (IIS 8.5) is showing an error:

“Your connection is not secure . . . .” in Firefox 45,46, . . . ??

Chrome is happy as far as I know. Safari is OK too. All on a mac. Chrome is good on windows, I.E is good on Windows. Anybody suffering the same problem?

Thanks in advance folks. Happy to try and troubleshoot further.


Latest firefox would frighten the end user away from visiting the site:

“The owner of [domainNameHere] has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.”



You’re probably running into a problem with IIS serving the wrong intermediate certificate. Try one of the following fixes:


The Lone-Coder/letsencrypt-win-simple v1.9.1 is stable and we’ve tested it successfully on Server 2016, 2012R2, and 2008R2. The Let’s Encrypt certificates are requested, installed and renewed automatically, plus the SAN certificate option is working as well.

We’ve published a video with instructions and demo here:

Right now we are testing the client with Exchange server, and a video about this is coming as well.


Will this work on Windows 2003 IIS 6.0 ?


Hi Himanshu

I wrote an article on how to do a Windows IIS install “the old school way”. I used zerossl but you can use any client including letsencrypt-win-simple

On older systems I prefer to work with the certificate and private key to get what I want.

I also believe IIS 6.0 doesn’t like certificates that have the intermediate and the certificate in one file (I am not sure if this is how clients print out the certificates or if that is how Lets Encrypt issues them).

You can download and install the intermediate Lets Encrypt Certificates from Here: I usually use PEM encoded certificates.

Microsoft Also Likes the PFX format for importing certificates (A combination of X509 Cert and Private Key) so I usually generate these with openssl

Article Link:


Hello, do you already have the video for Exchange server?
Could you test it?
Thank you.


Working flawlessly- both issuing and installing a new Exchange (multiple domain) certificate and automatically renewing it. Today we’ve completed the last step - had to redo some of the steps to add more scenarios.

Should be published within a day or two. If you need it urgently, I can send you the link to the post-production videos.


No, it’s not urgently, thank you very much for the reply, I’ll be waiting your info after finishing.


The video is published - four steps; it took quite awhile to get this done:

Letsencrypt Exchange certificate

We provide as a download the compiled ACMESharp PowerShell module that we are using in demo. Your feedback and questions are more than welcome on the corresponding blog page:





I was struggling to get an ECDSA certificate for my domains on Windows Server and IIS and I found no working solution for that on Windows platform, so I decided to create a simple AMCE client based on ACMESharp and BouncyCastle for that. If anyone would be interesting in that, you can find it at
Feel free to use it or take pieces of code to make other ACME clients ECDSA friendly.



Hi all,

At home, I run a Windows server with IIS. I am reluctant to leave the port 80 continuously open to the Internet as there are too many scans hitting the server.
So I would like to use port 443 and perform the renewal over https. I have access to the webroot.
I cannot find any option in the program letsencrypt.exe (Let’s Encrypt Simple Windows Client in order to do so.

Have I missed something ?
Thank you,

Frédéric, Brussels


@f-d-m, for certain policy reasons the webroot-based verification (HTTP-01 challenge type) can only be performed to port 80. The TLS-SNI verification (TLS-SNI-01 challenge type) can only be performed to port 443, but requires a different kind of control over the web server than webroot verification does (because it’s about reconfiguring the certificates that the server uses, not just adding a single file to a webroot).

I don’t know whether the Simple Windows Client supports TLS-SNI-01 challenges or not, but if not, you will not be able to use it to perform validation on port 443.


Thanks @schoen for your answer. I’ll investigate that option, but I think I’m out of luck.


Hello all,

Thanks @LoneCoder for the fine tool that worked almost seemlessly, it did raise an exception while trying to delete the folder structure saying directory not empty both first testing and then when for real. Thanks also to @NetoMeter for the nice tutorial. Although all went fine, by checking the certificate it says that it is expired or not yet valid. Did i miss something?

Thank you for your help in advance.



No, you didn’t.

If you see this warning in EMC, this means the Exchange server is not able to connect to the Internet and validate the certificate. That’s not something specific to the LE certificates but applicable to any certificate you install on the Exchange server - the server tries to connect and verify the certificate is valid (and not revoked for example).

Check whether the Exchange server has access to the Internet on port 80 and 443 (I don’t remember whether the check was performed over https)


Hi Schoen,

The Letsencrypt Win Simple client supports only the HTTP-01 challenge.