Win-Acme is a popular command line client that can be used to secure IIS websites with free Let's Encrypt certificates. This guide provides detailed instructions on installing the client and issuing certificates.
This article has a video guide available.
Step-by-step guides in this article:
Installing Win-Acme
1. Navigate to win-acme's website and download the latest version: https://www.win-acme.com/
2. The downloaded .zip file contains an executable that we will use. Extract the zip file to a location on your server where you want to keep this executable, for example C:\win-acme.
3. Open the extracted folder, then run the wacs.exe file to ensure the command line interface appears. You can either double-click or right click and open the file.
Securing website(s) using Win-Acme
1. Navigate to the folder path where you installed win-acme, then run the wacs.exe file to open the command line interface.
2. The client should ask what command you want to run. Type N and then press "Enter" to start creating a new certificate with default settings.
3. You should now be presented with a list of IIS websites. Next to each website is a number. Find the IIS site you want to secure and the number associated with it. Type the number and press "Enter".
- Note that if you press enter without typing a number it will attempt to issue an SSL certificate for every IIS website.
4. It will now ask what bindings within the IIS site you want to secure. If you want to secure all bindings, type A and then press "Enter".
- If you do not want to secure all bindings within the IIS site, you can type P instead, then enter the search pattern for finding hostnames that match the inputted search.
5. You will now be asked which binding should be used for the subject name for the certificate. Choose one of the bindings by typing the number associated with the binding displayed and then press "Enter".
6. You will now be asked to confirm the selection. Press Y to confirm and continue, or N to abort.
- If you have not yet accepted the terms, you may be requested to read and accept the terms and conditions, so use the same Y to confirm or N to deny.
7. The certificate should be issued unless you encountered any issues (displayed in the command line interface). You can confirm in the IIS bindings that the HTTPS bindings are valid and using the new Let's Encrypt certificate.
- If you do run into issues make sure the website is pointed to the server, otherwise this client will not work. Let's Encrypt requires the website be pointed to the server the certificate is being issued on.
- Pay attention to the output of command line for any errors. Additional troubleshooting may be necessary to resolve any issues. If needed, please create a ticket with our SysOps team to investigate further.
How renewals work using Win-Acme
Let's Encrypt issues certificates that are valid for 3 month periods at a time. This means that Let's Encrypt certificates have a minimum of 4 renewal periods every year, so it is important to make sure that renewals are configured properly. Win-Acme sets up a scheduled task that fires off once every day to check for renewals. You can access the scheduled task via Windows Scheduled Task.
You can process renewals manually by launching the command line interface (opening the wacs.exe), then typing R and pressing "Enter". This will process all renewals that are due. If a certificate is not ready to be renewed but you want to force the renewal, you can type A and then press "Enter"...then type S and press "Enter".
Troubleshooting Task Scheduler
A common reason why automatic renewals don't work when using win-acme is due to moving the win-acme executable (wacs.exe) to a different location or removing it altogether. If the scheduled task fires off every day but can not find the executable in order to perform the renewals then the certificate(s) will eventually expire. You can click on the scheduled task and view the path of the executable to make sure it is configured to the correct path location.
If the path location is incorrect, you can click on "Properties" within the Actions pane. Then click on the "Actions" tab and select "Edit". You can then change the path to the executable.
If you need any help using Win-Acme or issuing certificates, please get in touch with our Support team.