Let's Encrypt with IIS (Windows)

On Windows servers, Let's Encrypt is most easily set up using Win-ACME — a lightweight tool that issues the certificate, binds it in IIS, and renews it automatically.

Prerequisites: IIS must be installed and running. The A record of your domain must point to your server's IP. Ports 80 and 443 must be open in the Windows Defender Firewall.

Step 1: Download Win-ACME

Download Win-ACME from the official website.

Download the latest release from win-acme.com and extract the archive — e.g. to C:\win-acme.

Always run Win-ACME as Administrator — the tool needs to write certificates to the Windows certificate store and modify IIS bindings.

Step 2: Issue the certificate

Launch Win-ACME and follow the interactive wizard.

Open PowerShell as Administrator, navigate to the Win-ACME directory, and start the tool:

PowerShell
cd C:win-acme .wacs.exe

In the interactive menu, select the following options:

StepSelection
Main menuN — Create certificate (default settings)
Source1 — IIS — Read all bindings from IIS
Select siteEnter the number of the desired IIS website
BindingsSelect all bindings or only specific ones
InstallationWin-ACME automatically binds the certificate in IIS

Step 3: Redirect HTTP to HTTPS

Set up a redirect in IIS so all HTTP requests are forwarded to HTTPS.

Install the URL Rewrite module for IIS if not already present, then add the following rule to your website's web.config:

C:\inetpub\wwwroot\web.config
Terminal
<configuration> <system.webServer> <rewrite> <rules> <rule name="HTTP to HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> </rules> </rewrite> </system.webServer> </configuration>

Step 4: Verify automatic renewal

Win-ACME automatically creates a scheduled task for renewal.
PowerShell
Get-ScheduledTask | Where-Object {$_.TaskName -like "*win-acme*"}

The task runs daily and renews certificates that expire within 30 days. No further action is needed.

Common error messages

ErrorCause & fix
Could not connect to port 80Port 80 is blocked by the Windows Defender Firewall or an upstream router.
DNS problem: NXDOMAINThe domain's A record does not point to this server. Check DNS.
Access deniedWin-ACME was not run as Administrator. Restart PowerShell as Admin.

Further Documentation

For more information on Win-ACME, refer to the official documentation.