Use on windows server

I just found out about certbot for Windows Server! I am looking at using it on Windows Server 2016.

Is there a recommended way to run the “standalone” mode at boot / as a service?

1 Like

The Windows documentation (https://certbot.eff.org/lets-encrypt/windows-other) mentions:

The Certbot installation on your system comes with a pre-installed Scheduled Task that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration

If you are using --standalone, the Scheduled Task will automatically run the standalone server during certificate renewal as required.

2 Likes

automatically run the standalone server during certificate renewal as required

I read that. Maybe I am misunderstanding but I thought you run the standalone plugin and then http requests to the server triggered requesting a certificate - so I would also need to have that running right?

Or is that the part you have to hook up on your own on Windows?

1 Like

It’s like this:

  • Certbot scheduled task runs twice a day and looks at each existing certificate to see whether it needs to be renewed.
  • Certbot sees that certificate for example.com is expiring in less than 30 days, and begins performing a renewal attempt.
  • Certbot creates a certificate order for example.com and receives the challenge token that it needs to publish at a pre-defined URL.
  • In order to fulfill the challenge, Certbot starts up a web server on port 80, which answers with the token.
  • Certbot tells Let’s Encrypt that the challenge is ready.
  • Let’s Encrypt connects to the standalone server and checks that the challenge response matches.
  • Certbot stops the standalone server.
  • Let’s Encrypt issues the certificate and Certbot downloads it.

This is assuming that at one point in the past, you setup the certificate with e.g.:

certbot certonly --standalone -d example.com
2 Likes

Thanks for the detailed response!

1 Like