Let's Encrypt with IIS (Windows)
On Windows servers, Let's Encrypt is most easily set up using Win-ACME — a lightweight tool that issues the certificate, binds it in IIS, and renews it automatically.
Prerequisites: IIS must be installed and running. The A record of your domain must point to your server's IP. Ports 80 and 443 must be open in the Windows Defender Firewall.
Step 1: Download Win-ACME
Download the latest release from win-acme.com and extract the archive — e.g. to C:\win-acme.
Always run Win-ACME as Administrator — the tool needs to write certificates to the Windows certificate store and modify IIS bindings.
Step 2: Issue the certificate
Open PowerShell as Administrator, navigate to the Win-ACME directory, and start the tool:
In the interactive menu, select the following options:
| Step | Selection |
|---|---|
| Main menu | N — Create certificate (default settings) |
| Source | 1 — IIS — Read all bindings from IIS |
| Select site | Enter the number of the desired IIS website |
| Bindings | Select all bindings or only specific ones |
| Installation | Win-ACME automatically binds the certificate in IIS |
Step 3: Redirect HTTP to HTTPS
Install the URL Rewrite module for IIS if not already present, then add the following rule to your website's web.config:
Step 4: Verify automatic renewal
The task runs daily and renews certificates that expire within 30 days. No further action is needed.
Common error messages
| Error | Cause & fix |
|---|---|
| Could not connect to port 80 | Port 80 is blocked by the Windows Defender Firewall or an upstream router. |
| DNS problem: NXDOMAIN | The domain's A record does not point to this server. Check DNS. |
| Access denied | Win-ACME was not run as Administrator. Restart PowerShell as Admin. |