Let’s Encrypt: Without Using Port 80 (Windows/IIS)

I wasn’t able to find quick and easy documentation for how to configure Let’s Encrypt with an ISP that blocks port 80. So, this is my attempt at hopefully saving you the time that I spent figuring it out for myself.

Unfortunately, I haven’t figured out how to automate updating my DNS TXT records just yet, so this will need to be done every quarter.

Also, this document was a quick write up, don’t currently have time to make it look as clean as I would like at the moment. My apologies.

In my example, I am preparing a wildcard domain.

First, you will need to download the ZeroSSL Let’s Encrypt client.

Next, you will need to open IIS and begin the process of requesting a certificate.

Click on Your Server in the left bar.

Select Server Certificates under Management.

On the Actions panel, select Create Certificate Request.

Common Name : *.domain.com
(The rest of the info is up to you.)

Click Next.

Select RSA and 2048.
(Or whatever you want to use.)

Click Next.

Save a copy of the key to the location below.


Click Finish.

Update the command below with your domain and run it in an elevated PowerShell window.

.\le64.exe -key account.key -csr c:\cert\req.txt - csr-key domain.key -crt domain.crt -domains "*.domain.com" -generate-missing -handle-as dns -api 2 –live

You will be prompted to update a TXT DNS record for _acme-challenge.domain.com.

(Note, this is not a new sub-domain, you’re just updating the DNS of domain.com)

Example response from the command run above.

Host: _acme-challenge.domain.com, type: TXT, value: EDCerddvTxxxxxxxxx2alFy0_Ag8gDlSnMSzWC_ztI

Go to your DNS settings for your primary domain and add a TXT record with your value.

Update and run the command below in a new PowerShell or Command Prompt Window to verify the DNS record is appearing properly.

Nslookup –q=TXT _acme-challenge.domain.com

When you get the TXT DNS entry you entered back, return to the original elevated PowerShell window and press Enter to finish generating your certificate.

You can now return to your DNS settings and remove the TXT entry if everything proceeded properly.

Return to IIS.

Click Complete Certificate Request under Actions.

Select the file that was generated.

(It is where you ran your Let's Encrypt application, and you may need to switch to *.* to find it.)

Set your friendly name to *.domain.com.

You may need to update bindings or create new sites to attach this SSL certificate properly.

PowerShell: Disabling and Moving Inactive Users

While this isn’t my cleanest work, it did the job fairly well.

Also, I assume you’ve already added the Active Directory module, I believe command below will add it.

import-module activedirectory

This script will go through an OU, searching it’s contained OU’s, find inactive users then disable and move them into their own ‘Disabled’ sub OU.

This comes in handy when you have a bunch of client sites that are organized and you want to maintain organization.

Foreach ($i in (Get-ADOrganizationalUnit -Filter * -SearchBase "OU=MyOU,DC=mydomain,DC=local" -SearchScope OneLevel | foreach { $_.DistinguishedName })){
    Echo "-------------------------------------------"
    Echo $i
    Echo "-------------------------------------------"
    ForEach ($xx in (Get-ADUser -SearchBase $i -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp)){
        Echo "Disabling User"
        Echo $xx.Name
        Disable-ADAccount -Identity $xx.ObjectGUID
        Echo "Moving User"
        $DisabledPart1 = "OU=Disabled,"
        $DisabledOU = $DisabledPart1+$i
        Move-ADObject -Identity $xx.ObjectGUID -TargetPath $DisabledOU
    Echo "-------------------------------------------"

Below is a script that creates the ‘Disabled’ OUs.

Foreach ($i in (Get-ADOrganizationalUnit -Filter * -SearchBase "OU=MyOU,DC=mydomain,DC=local" -SearchScope OneLevel | foreach { $_.DistinguishedName })){
 echo $i
 New-ADOrganizationalUnit -Name Disabled -Path $i -Description "Disabled Accounts" -PassThru


I combined everything into a PowerShell application as seen below and can be downloaded here.

Note: This application will only search through enabled accounts.