Setup “Let’s Encrypt” for Apache in Windows VM

October 15, 2018

Let’s Encrypt is a free, automated, and openCertificate Authority

Let’s Encrypt is an effort by the Internet Security Research Group (ISRG) to provide free SSL certificates in order to encourage website owners to secure their websites with encryption and gain access of https to secure your website and enable better security.

 There are many benefits of enabling SSL encryption on a website, including securing user information if they need to login to the site and getting a higher ranking on Google Search. 

If you currently run Apache (or the other distributions such as XAMPP and Wamp Server) on Windows which is hosted as a virtual machine in some cloud based server, then this guide is for you.

(1) Download the letsencrypt-win-simple from github

We will use a third party tool called letsencrypt-win-simple from github link given, which runs specifically for Windows platform. Since the official letsencrypt-auto script does not support Windows at this point of writing.

Download the latest version from the letsencrypt-win-simple from release page here:

Go ahead and download the zip file and extract the details in your C:\ Folder which will look once extracted like this “C:\letsencrypt-win-simple\” .

At this point of blogging the latest version was v1.9.12.0.


(2) Obtain an SSL certificate (Test Run)

Open the command prompt and navigate to the previous letsencrypt-win-simple folder.

cd C:\letsencrypt-win-simple

Then run the letsencrypt tool to generate a certificate for your domain in test mode. By using the test mode, the generated certificates will not count against the rate limit.

letsencrypt.exe --manualhost <domain-name> --webroot <document-root> --test

Finally,replace with the actual domain name which you want to create the certificate for. Replace with the htdocs or www folder of Apache of XAMP/WAMP Located .

For example:

letsencrypt.exe --manualhost --webroot "C:\xampp\htdocs" --test

If the certificate generation is successful, a message similar to the following will appear.

Authorizing Identifier <domain-name> Using Challenge Type http-01
 Writing challenge answer to <document-root>\.well-known/acme-challenge/<challenge-text>
 Answer should now be browsable at <document-root>/.well-known/acme-challenge/<challenge-text>
 Submitting answer
 Refreshing authorization
 Authorization Result: valid

Requesting Certificate
 Request Status: Created
 Saving Certificate to C:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\\<domain-name>-crt.der
 Saving Issuer Certificate to D:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\\ca-<hex>-crt.pem
 Saving Certificate to D:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\\<domain-name>-all.pfx

You can safely skip the below to Section C if your test generation is successful.In order to authorize itself, the letsencrypt tool will answer the HTTP challenge from Let’s Encrypt server, by placing the challenge file under the folder /.well-known/. Therefore, it’s important that the .well-known folder can be publicly accessed through http://<domain-name/.well-known/.

 A usual problem for many users of PHP or Python framework is that the framework redirect the root path of the domain url to their own processing script. 

In this case, you need to place an alias in your Apache configuration file such as below:

Alias /.well-known <domain-root>/.well-known

Replace domain-root accordingly. For example:

Alias /.well-known "C:/xampp/htdocs/.well-known"

Restart Apache server and attempt the test generation above again.

(3) Obtain an SSL certificate (Actual Run)

Only If your test generation has been successful, proceed to generate the actual certificate by removing the –test argument from the command.

letsencrypt.exe --manualhost <domain-name> --webroot <document-root>

The tool will ask you for some information. Answer accordingly.

Below are some set of questions it asks and you can answer as below:

Necessary Steps and Options to choose creating a SSL Certificate 
Providing the relevant details

Lastly, the tool will setup a schedule task which runs every 9.00am in the morning. Let’s Encrypt certificates are issued with a validity of 90 days. This task will help to renew the certificates within 30 days before expiry, so you will never have to worry about certificate expiry anymore.

 From the output of the tool, note the path of the certificate file and issuer certificate file.

(4) Configure Apache to use the SSL certificate

You need to configure an SSL-enabled virtual host for your domain name.

Refer to the Apache docs on XAMP/WAMP how to do that.

In XAMP the httpd-vhosts.conf is located at C:\xampp\apache\conf\extraIn the virtual host configuration, specify the path to the certificate file, certificate key file, and the certificate chain (issuer certificate) file, which you note down from the output actual generation in Section 3 (not test generation in Section 2).

 Besides, it is recommended that you redirect all the http traffic to the https site with the correct domain name of your certificate.

Here is an example of a partial Apache configuration. On the non-SSL virtual host:

<VirtualHost *:80>
    RewriteEngine On
    # Redirect to the HTTPS site
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*)$$1 [NE,L,R=301]

On the SSL virtual host:

VirtualHost *:443>
    RewriteEngine On
    # Redirect to the correct domain name
    RewriteCond %{HTTP_HOST} !^$ [NC]
    RewriteRule ^/?(.*)$$1 [NE,L,R=301]

    Alias /.well-known C:/xampp/htdocs/.well-known

    SSLEngine on
    SSLCertificateFile "C:/ProgramData/win-acme/"
    SSLCertificateKeyFile "C:/ProgramData/win-acme/"
    SSLCertificateChainFile "C:/ProgramData/win-acme/"


the alias for /.well-known path must be copied to the SSL virtual host because it is needed for future certificate renewals.Restart Apache server so that the new configuration will take effect.

(5) Opening the Port in Windows Firewall Security in Windows Virtual Machine

Search for Windows Firewall Security for Windows, Open it which will something like below:

Click on Inbound Rule, and follow the below steps:

  • Click on New Rule from the right panel
  • Select Port, Hit Next
  • Click on TCP and Give Specific Port number as 443,80
  • Allow all connection
  • Check on Domain, private and Public
  • Give the respective name and Click Finish
  • And then, repeat the same steps for Outbound Rules and Finish

Below are the screenshots to refer:

(6) Opening cloud server security firewall of port number.

If you are using any cloud based server where you have hosted your VM, Go to their security role and open the port 443 since the https serves SSL at port 443

Suppose you are using Google Cloud Hosted Windows VM you need to use:

• Head to VPC Network

• Then Click on Firewall Rule

• Create Firewall Rule with access to port 80 & 443 TCP

• Set IP range as

• And now head to your website, you will see your website served as https

• Congratulations

If you are using Amazon AWS you need to use

• Head to your respective EC2

• Click on the VM Windows that was hosted

• Select Security Link

• Click on respective Inbound and Outbound Rule and open the respective port – 80,443

• And Make sure you add Destination IP range as

Leave a Reply:

Your email address will not be published. Required fields are marked *