Using Certbot in Windows - the pragmatic way

First - do not install the suggested version, certbot-beta-installer-win32.exe.

Better install Python! Preferably Windows installer (64-bit) from the python site.

Then just install Certbot in a command line

`python -m pip install certbot

and after that you can also install plugins

python -m pip install certbot-dns-desec


python -m pip install certbot-dns-rfc2136

Yes! This version also works with plugins!

Then you can use certbot as usual in a command line with administrator rights.

When all certificates have been fetched and after a successful trial run

certbot renew --dry-run

create a file 'renewal.bat' (or whatever-you-want.bat) with the content

certbot renew

and enter this file in the task scheduler in Windows. Run it daily under the Administrators account. Enter a batch in 'C:\Certbot\renewal-hooks\deploy' that restarts your web server, e.g.

net stop nginx
net start nginx

That's it. Maybe, in a far, far, far away future, the Windows version will work...

If you are interested, I can also give hints on how to solve the following problems:

  • Assignment of rights to folders and files in the certbot directory.
  • How can I restart my server if it is not running as a service but as a normal program (e.g. WinNMP). Unfortunately you cannot do this in Certbot hook scripts.

does this work?


No. Sadly not.



2 minutes to read

Starts a separate Command Prompt window to run a specified program or command.

Yes, I know, and Certbot still waits.

It looks like certbot-dns-desec is already installed in your first command?

It has come to my attention that it's indeed possible to install Certbot using pip on Windows indeed, but for many novice users, installing Python and using pip is rather difficult and using the installer works better.

That said, it's indeed very difficult to use alternative plugins that way, so it really depends on the skills of the users and, more importantly, the requirements of the user.

One might even argue perhaps Certbot isn't the best option for Windows at all, being a CLI application. Nothing wrong with a CLI application, obviously, but perhaps the same reasons to prefer an installer instead of using pip to install Certbot in the first place is also an argument to not prefer a CLI application at all.


Yes, that was my mistake. I corrected.

I don't think a user looking for a program to install and automatically update Let's Encrypt certificates for his web server is an inexperienced user. Do you think so?

Python is also installed with an installer, so you only have one more command line input compared to the Certbot installer. From then on, the use of Certbot is identical. But you have the plugin support. And despite the chic installation program, the Windows program will probably not be able to do that in the foreseeable future. And the plugins have many, many benefits.

I don't understand what you actually want to say either. Not using Certbot at all? Or just not on Windows? Or not publicize this alternative at all? Anyway, I'm glad I found this opportunity.

1 Like

This is one of the main audience for Let's Encrypt and Certbot: bring HTTPS to everyone, no matter how little skill one has.

There are perhaps other Windows ACME clients more suitable for some (inexperienced) users.

I'm not criticising your method in any way, I think it's indeed a good if not the best way to install Certbot if third party plugins are required. However, if that latter part is not the case, I'm not really sure what the benefit is above the Certbot installer :slight_smile:


Unfortunately, Certbot is miles away from this lofty goal, both on Windows and Linux. But you have my best wishes. Until then, I prefer to use a way that works.

Just use them both with a simple batch file as a hook.

Content of empty.bat

@echo off

certbot certonly ^
   --standalone ^
   --dry-run ^
   --pre-hook "C:\Certbot\empty.bat" ^
   --preferred-challenge http ^

You will immediately understand the difference - and thus the reason for my approach. I'm sure.

Which ones can you recommend?

Wacs and Certify the Web are the most common, one is cli and one gui.


I don't see any difference with that .bat contents between installing using the installer and installing using separate Python and pip :wink:

I run Gentoo Linux as my main OS, so I'm not familiar with Windows ACME clients to be honest.


It doesn't matter if you, as a linux user, have no experience with windows. It's surprising, however, why you're so attached to your idea. :grin:

However, the solution is simple, the program installed with the installer aborts with an error message, the one installed with pip works. That was also a reason why I use and recommend the solution described.

I respect your opinion, but as a daily Windows user, allow me to have a different one. I can only recommend other Windows users to use Certbot via the procedure described. Because this is not more complicated and at least works.

1 Like

As a daily Windows user myself (last six months, coming from 10 years on MacOS and 5+ on Debian derivatives), I would NEVER imagine using Windows on a server.

(I mean, am I really a Windows user if I have a WSL2 Debian Sid terminal always open?)


I second this. When working with Windows - especially IIS, those seem to be a lot better than certbot (based on user feedback send to me).

Certbot and its friends are good choices for *Nix based OS, where some familiarity with a command line is essential. Here Certbot can be a good choice, but I never really saw Certbot + Windows as a particular good choice - Windows is just too different, and Certbot wasn't really designed for Windows.


But that involves a third-party plugin specifically, right?


I don't want to discuss here whether Windows or *nix is better or which is better suited as a server. If you have time for this, please use it. I do not have it. If you want to be right, you can have it. I do not need it.

This post is intended for those who use windows and want to use certbot. Whether for IIS, Apache, nginx or whatever. Anyone who has problems or questions of understanding is welcome. Everyone else would like to play somewhere else please.

And if Windows and Certbot are so impractical, why is Certbot also developed for Windows? Think about it, but please don't tell me.

Neither do I, and I'm not telling you that Windows is rubbish on a server, I'm telling you that I wouldn't imagine using, mainly because I wouldn't know where to start. So I naturally find *nix easier.

As for security and stability, I'm sure Microsoft has a lot of engineers thinking and working about it, and with appropriate hardware it shouln't be much different than rhel or similar.


Well, as you also don't answer my specific question, I'm also done with this thread :slight_smile: Good luck with it.


Thank you. :wink:

But seriously, what have you not understood? What third party plugin do you mean? The questions should be a bit clearer.

1 Like

As a related aside, Certbot is moving to 64-bit only on windows, which will involve uninstalling the 32-bit app first, not sure if the renewals auto upgrade or not.

As the developer of Certify The Web (this GUI, which has been around for the last 6 years or so) I think having a variety of ACME clients on each OS is great and it enables many different ways of working and caters for different user experience levels and workflow preferences.

It's great that Certbot ported to windows, obviously there are a few gaps here and there but I'd rather see them port to Windows than not. Recent numbers put them at about 15K users, by contrast CTW has in excess of 120K and I'd estimate win-acme (command line!) has about 400K users (in particular for MS exchange and RDP gateways) so Certbot can expect growing pains as they gather adoption on the platform and get more demands from users.

Obviously I'm biased towards Certify The Web, because I'm the developer but also because it has the most capabilities built-in including native PowerShell integration, a wide range of DNS providers (many via Posh-ACME), many pre-built deployment tasks (including nginx & apache with vhost config read/writes coming in the future) versions), native IIS support, an always-on background management service and of course, the UI. A linux version with an optional web based UI is also in the works (honest!). The caveat (which is a big deal for individuals, but not for businesses) is that it's free only for non-commercial use (but you do get support) - the vast majority of users still use the free version.

I have found that there are many thousands of users on both Linux and Windows who are not experienced system administrators yet who are responsible for one or more servers. Apps that make things easier so it "just works" do have a role to play.

Regarding the suitability of Windows as a server, this really comes up due to peoples experience bias and comfort levels, most people who "don't like" windows are not referring to a technical reason (Windows before Server 2022 lacks native support for TLS1.3, there you go!), they just have more experience with linux (or they want the cheaper VM licensing costs).


2022? TLS 1.3 was standardized in August 2018. That's a long time.

It's strange though: on *nix the support depends on openssl, gnutls, rustls, etc... because the applications import them.

On Windows... how does that work?