Install Lets Encrypt Certificate on Windows with Certbot
Let’s Encrypt provides free, trusted SSL certificates, widely accepted by many authorities and browsers. The certificates are signed by the Internet Security Research Group (ISRG) Root X1, ensuring a high level of trust. Certbot, a command-line tool developed in Python, makes it easy to request and renew these certificates from Let’s Encrypt. Although direct support for Windows was discontinued in February 2024, you can still use Certbot on Windows through the Windows Subsystem for Linux (WSL) 2. Kindly see How to install WSL2 on Windows Server.
This guide will walk you through the process of installing Certbot on WSL, validating your domain, issuing a certificate, and setting up automatic renewal. Please see other related guides: How to install Let’s Encrypt on Apache Web Server, Install Let’s Encrypt Wildcard SSL Certificate in cPanel using Certify The Web, How to install Let’s Encrypt Certificates with IIS on a Windows Server, How to create a self-signed cert via IIS.
Step 1: Install Certbot in the Windows Subsystem for Linux
First, enable WSL on your Windows machine and install a Linux distribution like Ubuntu from the Microsoft Store. Please see Various methods to install Windows Subsystem for Linux.
Launch the Ubuntu shell from the Windows Terminal.
Run the following commands to ensure your system is up to date:
sudo apt update
sudo apt upgrade
Install Certbot with the following command:
sudo apt install -y certbot
Step 2: Validate Your Domain
To validate your domain and request a certificate using Certbot, follow these steps:
Execute the following command to start the certificate request process. Replace <YOUR_DOMAIN> with your actual domain name:
sudo certbot -d <YOUR_DOMAIN> --manual --preferred-challenges dns certonly
Certbot will prompt you to enter an email address for urgent renewal and security notices. Provide your email address and press Enter.
Read the Terms of Service provided by Let’s Encrypt. You must agree to proceed. Type A and press Enter.
Certbot will ask if you are willing to share your email address with the Electronic Frontier Foundation (EFF). Type Y for Yes or N for No and press Enter.
Certbot will prompt you to create a DNS TXT record to prove ownership of the domain. Follow the instructions provided by Certbot.
After adding the TXT record to your DNS zone, verify it by running:
nslookup -q=txt <YOUR_DOMAIN>Once the DNS record is verified, Certbot will issue the certificate. The issued certificates will be saved in /etc/letsencrypt/live/<YOUR_DOMAIN>/.
Step 3: Automate Certificate Renewal
Set Up Cron Job for Automatic Renewal. Open the crontab editor:
crontab -eAdd the following line to schedule Certbot to check for renewals twice a day:
0 */12 * * * /usr/bin/certbot renew -qThis command will quietly check for certificates that need renewal every 12 hours.
Run a dry-run to ensure that the renewal process works correctly:
sudo certbot renew --dry-runStep 4: Export Certificates for Use with IIS
For use with IIS or other Windows applications, export the certificate as a PFX file.
Open a root shell:
sudo -iNavigate to the certificate directory:
cd /etc/letsencrypt/live/yourdomain.comExport the certificate:
openssl pkcs12 -export -out yourdomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:yourpasswordTransfer the certificate to the Windows file system:
mkdir /mnt/c/Users/yourusername/letsencryptcp -R /etc/letsencrypt/* /mnt/c/Users/yourusername/letsencryptConclusion
By following these steps, you can easily install and manage Let’s Encrypt certificates on a Windows system using Certbot through WSL. This setup ensures your web services are secure and your certificates are always up-to-date, all while leveraging the power and convenience of Let’s Encrypt and Certbot.
