Windows Server 2012 R2 + IIS + certbot

My domain is:

The server uses Windows Server 2012 R2, IIS is enabled and I have installed certbot 2.6.0 (download here Releases · certbot/certbot · GitHub).

I ran this command:
(In powershell, check the print let01.png)
certbot only

It produced this output:

PS C:\Windows\System32\WindowsPowerShell\v1.0> certbot certonly
Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):
Requesting a certificate for
Input the webroot for (Enter 'c' to cancel): C:\inetpub\wwwroot

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Type: connection
Detail: Fetching
r_x3Ian9oec: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the lis
ted domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from
the internet.

←[31mSome challenges have failed.←[0m
Ask for help or search for solutions at See the logfile C:\Certbot\log\letsencrypt.lo
g or re-run Certbot with -v for more details.
PS C:\Windows\System32\WindowsPowerShell\v1.0>
PS C:\Windows\System32\WindowsPowerShell\v1.0>
PS C:\Windows\System32\WindowsPowerShell\v1.0> certbot --version
certbot 2.6.0
PS C:\Windows\System32\WindowsPowerShell\v1.0>

My web server is (include version): IIS 8

The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is: company internal server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

I searched for guidance, but I only find certbot + linux.
Would it be possible to guide me, how do I get the certificate to use in IIS 8 with Server 2012 R2?

Your domain cannot be reached using HTTP requests from the public internet. At least, not from the locations I tried. Let's Encrypt servers need to reach your domain to validate you control it. The Let's Debug test site is a good way to check communications.

Check your company firewalls to ensure they allow these requests

You could also try using the DNS Challenge. Certbot supports Route53 for this but I am not sure it does on Windows. Even if the DNS Challenge works to get you a cert anyone trying to reach your site would still fail due to the comms problem shown.


In addition, if you're using IIS you may find it easier to use one of the Windows-native clients, rather than Certbot (which as you say is really Linux-focused even if you can run it on Windows). Certbot won't give you a certificate in the way that IIS can use without some additional scripting.

But regardless, as just said your site needs to be accessible, or you need to use the DNS challenge, in order to get a certificate.


Both Ports 80 and 443 are Closed; the HTTP-01 challenge of the Challenge Types - Let's Encrypt requires open access to Port 80. Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443
Starting Nmap 7.80 ( ) at 2023-06-30 07:38 PDT
Nmap scan report for (
Host is up (0.20s latency).
rDNS record for

80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.