Non standard ports on Windows


I am trying to get lets encrypt setup on tomcat on windows which is running on port 8080/8443. So far have been using the letsencrypt-win-simple github project to do so. I have things working if there is IIS running. I just preform the acme challenge using IIS. I can just get the certs using IIS since it’s running on port 80/443 and then use them with tomcat. My problem is when I don’t have IIS running I’m not sure how I can get my certs. I know about the dns-01 challenge but I’m not sure I would really be able to automate that, from what I’ve seen that requires an API to be provided by the hosting company and I’m using a smaller company that I’m unsure of whether they provide that feature. All I can really think to do if I want to keep using the acme challenge is just to stand up IIS for the sole purpose of getting certs but I would rather not do that if possible.

I guess I’m just looking for some guidance to see if there is anything I haven’t thought of or if anything new has developed that might change the answer to my question. I apologize because I know this has been asked several times and there are other posts that are very close to my own.

Nope, you’ve got to use standard ports. There are plenty of ways that someone could have access to a server such that they could open and listen on high-numbered ports without actually having any authoritative control over the domain itself.

The best option would be to script it so that there’s a listener on 80 (IIS probably) that gets started right before renewal attempts and stopped right after.

Does anyone know if there is a Windows client that supports a standalone mode?

None of the Windows-specific clients appear to, but lego does and they do provide Windows binaries.

why not use a client such as certify which will take care of the IIS configuration for you


@ahaw021 He was trying to avoid running IIS full time.

@CharlesS Is there any particular reason you can’t configure tomcat to listen on port 80 and 443 on this server? Then you could complete http-01 authentication by just passing c:\path\to\tomcat\webapps\ROOT as your webroot.

If you’re worried about breaking existing links and bookmarks, you can define additional <Connector>s for this, so you can keep tomcat listening on 8080/8443 as well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.