How Letsencrypt work for windows IIS?


Does it create the file with the complete chain as that seemed a bit of gap on the previous version and hence why Mozilla could not authenticate the cert even after other browsers worked.
Will try this new version out and give you feedback once done.


You can use fullchain.pem if you want, it has the server’s certificate and the intermediates all in one file. You can also use cert.pem (the server’s issued certificate) and chain.pem (the intermediate certificates) individually for systems where that is a better idea.


LoneCoder, Superb work!

Can You confirm that if you run the .exe several times then all certificates are updated. I notied only one task is created (which is good). Does it look in a config file for the domains to be updated?



LoneCoder, also if I have setup an IIS redirect for all non www and non https traffic to go to https://www will that still work as I though the confirmation from letsencrypt has to have access to www. Regards.


The config data is stored as JSON in the windows registry under HKCU\Software\letsencrypt-win-simple


Hi @LoneCoder,

You should consider the use of the new ASP.Net vNext / ASP.Net 5 stuff as there is a self-hosted server which intergrates with Http.Sys: (WebListener)

The advantage of this is that you benefit from the port sharing so it can run along-side IIS or any other web server on port 80. The challenge can then be completed without additional configuration, as long as the domain in question is pointing at the server.

Of course, the Owin server (Katana) could also be used.


Thanks. The only thing I need to confirm now is the port 80 traffic that I redirect to 443 http to https will that prevent any validation?

Thanks in advance.


I wonder whether you can add options for using port 80 or 443 in your software, just like the plugin “Standalone”:

To obtain a cert using a “standalone” webserver, you can use the standalone plugin by including certonly and --standalone on the command line. This plugin needs to bind to port 80 or 443 in order to perform domain validation, so you may need to stop your existing webserver. To control which port the plugin uses, include one of the options shown below on the command line.

–standalone-supported-challenges http-01 to use port 80
–standalone-supported-challenges tls-sni-01 to use port 443

so that the web servers with blocked port 80 can receive certs through port 443.



Yea, now it no longer just closes out. If there is an error it pops it and in RED also which is great.

The certificate generated only works with or but does not work with both. Also, with Mozilla, it is not able to trace back to the CA although Edge and Chrome work fine and trace back fully to the cert authority.

LoneCoder, is there a way to also drop the certificate chain file within the same folder as all the other pem files?


Hi LoneCoder,

I’m trying to get working on my Windows 2008 R2 server but am receiving an “Authorization Result: invalid” error. The acme-challenge file is being created and I have verified that it’s accessible via a browser…

Is there something obvious I might be overlooking? Is there any way I can find out why the result is coming back “invalid”.



I believe once you have received an ‘invalid’ result for an Authorization you need to start again with a new Identifier (same hostname/domain, different alias). So if it failed because of an earlier configuration problem, it will continue to be invalid for the original identifier (correct me if I’m wrong!).


Thanks for your response webprofusion,

Can you clarify what you mean by “identifier” and “alias”, is this something in the letsencrypt-win-simple configuration or something in IIS?

I’ve tried removing the C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple folder and running the exe again, this time with a different email address but it gets the same result…


v0.97 still not normal work. How I delete before version config?


I Guess he is taking about the subdomain e.g the www in


Hmmm… I’ve tried 3 different domains now:, and have exactly the same behaviour, the acme-challenge file is browsable but “Authorization Result: invalid”…


Double check the permissions on .well-known and acme-challenge.


The folders are writable by my command line user (letsencrypt.exe is after all creating them fine).
They are also accessible by the web site’s user (as they are viewable in a web browser. the URL returns the response code string and HTML response code of 200… )


my IIS8.5 server response code of 500


We need a little more information to be able to help.

What’s your domain name ?

What command are you running ( or link trying to reach) when you get a server response code of 500 ?


I just found a reason, When I use the tool v0.971, it is auto creat a web.config file in acme-challenge folder.

the file show mimeMap fileExtension="." mimeType=“text/json”

I try delete the file just ok.

then I using the tool just work .