SSL Certificate Verification Issue with Certbot on Windows

I am experiencing difficulties when trying to obtain a free SSL/TLS certificate from Let's Encrypt using Certbot in a Windows environment. After entering my email address and starting the certificate acquisition process, I encounter the following error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

This error appears to indicate that Certbot is unable to verify the validity of the Let's Encrypt server's SSL certificate due to an issue with local SSL certificate verification on my system. I have attempted several solutions, such as updating Certbot and its dependencies, checking and updating trusted root certificates on my operating system, and temporarily disabling the firewall and antivirus software. However, the issue persists.

I would appreciate guidance on how to resolve this problem and successfully obtain the SSL/TLS certificate using Certbot in my Windows environment.

Any help or suggestions would be greatly appreciated. Thank you!

1 Like

Please don't. Certbot on Windows isn't supported anymore.

Yeah, I have no idea which trust root certbot on windows is using.


"Is it really not possible to apply Certbot on Windows? Or is there some way to do it? I can't believe it's not possible, it's 2024."

I'm not sure.

It should definitely run in wsl. The linked thread should have some info on that.

The easy solution is to move to a windows-native acme client. ACME Client Implementations - Let's Encrypt


"Would you recommend WinAcme?"

It's the usual choice, I think. Never used it myself.

Certify The Web may be easiest with its gui


If you are using IIS then I would suggest using either (I am the developer) or win-acme (which my company also sponsor the developer for on github!).

If you are trying to get certs for apache or nginx you can still use these apps to do that as well. Certbot would work but I suspect the problem is that your machine certificate store does not have ISRG Root X1 installed under Trusted Root Certification Authorities. This will be either because you have windows updates turned off (or blocked) or root CA updates are disabled by group policy or registry settings. Either way your server is misconfigured and at risk of communication failures and other problems.

You can manually install the ISRG Root X1 cert into the store but normally that would be automatic.


It seems there was an authorization error while attempting to validate the domain using the http-01 validation method. The ACME server received an invalid response from the provided URL, resulting in an "unauthorized" status with a 403 Forbidden error. This could be due to various reasons, such as misconfiguration or restrictions on the server side. Further investigation is needed to resolve the issue.

my backend stay in firebase.
What do you recommend, knowing that I have the backend on that platform? I store both (the frontend and the backend) in a GitLab repository. PS: I'm a developer too! :wink:

You can't get a cert for one domain name/IP when at another domain name/IP.
If the firebase system needs a cert, it must get it for itself.
[when using HTTP authentication, each system/IP must handle its' certs separately]


So, if I'm on firebase I can't get a certificate?
And do you know if I can get it from Zscaler?

Can you control the system at the firebase IP?
You would have to be provided with access to a panel that can issue certs OR login information to their server and have enough rights to install an ACME client.
If you have neither, then you need to speak with firebase about how to obtain a cert for your use on their server.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.