Let’s Encrypt: Without Using Port 80 (Windows/IIS)

I wasn’t able to find quick and easy documentation for how to configure Let’s Encrypt with an ISP that blocks port 80. So, this is my attempt at hopefully saving you the time that I spent figuring it out for myself.

Unfortunately, I haven’t figured out how to automate updating my DNS TXT records just yet, so this will need to be done every quarter.

Also, this document was a quick write up, don’t currently have time to make it look as clean as I would like at the moment. My apologies.

In my example, I am preparing a wildcard domain.

First, you will need to download the ZeroSSL Let’s Encrypt client.

Next, you will need to open IIS and begin the process of requesting a certificate.

Click on Your Server in the left bar.

Select Server Certificates under Management.

On the Actions panel, select Create Certificate Request.

Common Name : *.domain.com
(The rest of the info is up to you.)

Click Next.

Select RSA and 2048.
(Or whatever you want to use.)

Click Next.

Save a copy of the key to the location below.


Click Finish.

Update the command below with your domain and run it in an elevated PowerShell window.

.\le64.exe -key account.key -csr c:\cert\req.txt - csr-key domain.key -crt domain.crt -domains "*.domain.com" -generate-missing -handle-as dns -api 2 –live

You will be prompted to update a TXT DNS record for _acme-challenge.domain.com.

(Note, this is not a new sub-domain, you’re just updating the DNS of domain.com)

Example response from the command run above.

Host: _acme-challenge.domain.com, type: TXT, value: EDCerddvTxxxxxxxxx2alFy0_Ag8gDlSnMSzWC_ztI

Go to your DNS settings for your primary domain and add a TXT record with your value.

Update and run the command below in a new PowerShell or Command Prompt Window to verify the DNS record is appearing properly.

Nslookup –q=TXT _acme-challenge.domain.com

When you get the TXT DNS entry you entered back, return to the original elevated PowerShell window and press Enter to finish generating your certificate.

You can now return to your DNS settings and remove the TXT entry if everything proceeded properly.

Return to IIS.

Click Complete Certificate Request under Actions.

Select the file that was generated.

(It is where you ran your Let's Encrypt application, and you may need to switch to *.* to find it.)

Set your friendly name to *.domain.com.

You may need to update bindings or create new sites to attach this SSL certificate properly.

Published by

Kevin Herr

System Administrator

3 thoughts on “Let’s Encrypt: Without Using Port 80 (Windows/IIS)”

  1. Hi… Nice work! work’s perfectly….

    Can you have the script to auto renew the certificate?

    1. Apologies for the delay, lots of spam to filter through. I was unable to because most ISPs block the required ports and I don’t believe that I have any API access to my domain provider to automate the necessary processes.

Leave a Reply

Your email address will not be published. Required fields are marked *