Find us on social media

Client area
SSLIISLet's Encrypt6 min read

Install SSL certificate on IIS

Install a free Let's Encrypt SSL certificate on IIS using win-acme.

Secure your IIS websites with a free SSL certificate from Let's Encrypt using win-acme (WACS), the Windows ACME client.

Prerequisites

  • IIS installed with your site configured
  • Domain pointing to your VPS IP (A record)
  • Port 80 open for HTTP validation

Step 1 — Download win-acme

powershell
# Create directory
New-Item -Path "C:\tools\win-acme" -ItemType Directory -Force

# Download latest release
Invoke-WebRequest -Uri "https://github.com/win-acme/win-acme/releases/download/v2.2.9.1/win-acme.v2.2.9.1.x64.pluggable.zip" -OutFile "C:\temp\win-acme.zip"

# Extract
Expand-Archive -Path "C:\temp\win-acme.zip" -DestinationPath "C:\tools\win-acme"

Step 2 — Run win-acme

powershell
cd C:\tools\win-acme
.\wacs.exe

Follow the interactive prompts:

  1. Choose N — Create certificate (default settings)
  2. Choose 1 — Single binding of an IIS site
  3. Select your site from the list
  4. Enter your email for notifications
  5. Accept the terms of service

win-acme automatically:

  • Obtains the certificate from Let's Encrypt
  • Installs it in IIS
  • Creates an HTTPS binding
  • Schedules automatic renewal

Step 3 — Verify the certificate

Open your browser and navigate to https://mydomain.com. You should see a valid SSL certificate.

Step 4 — Force HTTPS redirect

Install URL Rewrite module, then add to your site's web.config:

xml
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Manual renewal

powershell
C:\tools\win-acme\wacs.exe --renew --force

Check scheduled renewal

win-acme creates a scheduled task automatically. Verify:

powershell
Get-ScheduledTask -TaskName "win-acme*"

Troubleshooting

  • Validation failed: Ensure port 80 is open and the domain resolves to your VPS IP
  • IIS binding not found: Make sure your site has an HTTP binding with the correct hostname
  • Certificate not trusted: Clear browser cache or try incognito mode

Tip

win-acme handles renewal automatically every 55 days. Certificates are valid for 90 days, giving you a 35-day buffer. Monitor the scheduled task to ensure renewals succeed on your Baires Host VPS.

Was this guide helpful?
← Back to Windows Server