This guide will show you how to create your first Let’s Encrypt certificate for Apache running on Windows. Later guides will show you how to improve automatic renewal by automatically restarting Apache and how to add additional features such as a secure FTP server using the same certificate.

Download Win-ACME (WACS) – Formerly Known as letsencrypt-win-simple

The latest version of WACS at the time of writing is 2.1.14.1 and that is the version I’ll be using but you should start with the newest available. There are a number of download variants I’ll be using win-acme.v2.1.14.996.x64.pluggable.zip. Unzip the package to a folder that you won’t ever move and you have write access to e.g “c:\wacs”.

Obtain a Certificate

You have the choice of either obtaining a live or test certificate. Getting a test certificate the first time around is a good idea because there are some strict rate limits on the live servers (there are rate limits on the test servers too but they are much more generous). To get a test certificate open an administrator command prompt and enter the directory where you’ve unpacked WACS:

.\wacs.exe --test --verbose

If you want a live certificate just leave off the –test flag. The –verbose flag isn’t necessary but it’s useful to see what is going on the first few times though and doesn’t create all that much extra information. Note that the settings for the endpoints that Win-acme application talks to are defined in the settings.json file. Enter M at the prompt to create a certificate with full options, this is needed to active the PEM Plugin to create the PEM files that Apache uses.

Choose manual input for (option 2) for how to specify the list of domain names. Enter the domain name you want to create a certificate for. Just hit enter for the friendly name.

In order to get a certificate you need to prove that you own the domain the certificate will be created for. A DNS entry can be used but this doesn’t allow for automatic renewals since the verification needs to be carried out for each renewal and it’s different each time. I’ll select option 1 which will cause a folder to be created in the root of the website. It will ask you for the path that it should store the file under. Select N when it asks if it should copy the default web.config. Note you can’t use the from memory option (option number 2) with Apache as it doesn’t support the side by side serving of files that Win-acme can provide (IIS does apparently).

Next you need to specify what type of key you want to create. Choose option 2 for an RSA key.

Since we want to create a certificate for Apache we need to now select option 2 to create a PEM encoded file. You will then be asked where you want to store the file. Select an appropriate secure location on disk. Then choose option 5 to select no additional storage steps.

You are now asked what should happen after the certificate has been saved. For now we’ll choose option 4, no additional steps but see below for how to make Win-acme restart Apache on renewal.

The first time around Win-acme will then ask you to accept the terms of service. Press N to prevent the PDF opening. Enter your email address to be notified of any problems.

Win-acme will then attempt to create a folder called “.well-known” in the root of your website which is used to prove you own the domain. It will ask if you want to try and browse this proof in your default browser, select N. If you are having trouble with validation browsing this file can be a quick way of proving it’s reachable from the outside world.

If the remote certification servers can access your domain ownership proof the certificate will be created and you’ll be be asked if you want to install it (save it in this case). Choose Y. Win-acme will then save the PEM files to your chosen location and remove the .well-known directory.

You’ll now be asked if you want to automatically renew with these setting, choose Y. When asked if the task should run with a specific user select Y as it needs to run under an account with administrator permissions. You can change the settings for this task later as you would for any other task.

The certificate is now created and the automatic renewal task in place. You can quit the Win-acme application from the main menu.

Configure Apache to Use the Certificates

Open httpd.conf and uncomment the following lines (note, they aren’t all found together in the config file) and then restart Apache:

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

The first one loads the SSL module which is required for secure connections. The last one loads the virtual host that handles the SSL site. I’m not entirely sure what the middle one does, it’s something to do with secure sessions. If you forget to uncomment the middle one you get the cryptic  error message:

AH00526: Syntax error on line 93 of C:/somepath/Apache24/conf/extra/httpd-ssl.conf:     .

You now need to make some changes in httpd-ssl.conf. Start by defining a CERTROOT variable at the top of the file. We do this because we aren’t storing our PEM files in the default location under the server root. Then within the virtual host update the shown settings to point at the key and the correct document root. Note that I have a DOCROOT variable set up in my httpd.conf file that points to a non-standard location for my website. Note the SSLCertificateFile points at the chain file and the SSLCertificateKeyFile points at the key file.

Define CERTROOT "path-to-certs"
....
<VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot "${DOCROOT}/mywebsiteroot"
....
    SSLEngine on
    SSLCertificateFile "${CERTROOT}/www.example.com-chain.pem"
    SSLCertificateKeyFile "${CERTROOT}/www.example.com-key.pem"
</VirtualHost>

You should now be able to access your site using HTTPS, since this is a certificate with a fake root (well, it’s a real root it’s just not trusted) the browser will issue a warning but everything else should work correctly.

Manual and Forced Certificate Renewal

When you interactively acquired the certificate one of the options was to install a job to automatically renew the certificate as shown below:

[–test] Do you want to automatically renew this certificate? (y*/n) – yes

[INFO] Adding Task Scheduler entry with the following settings
[INFO] – Name win-acme renew (acme-staging-v02.api.letsencrypt.org)
[INFO] – Path C:\somepath\wacs
[INFO] – Command wacs.exe –renew –baseuri “https://acme-staging-v02.api.letsencrypt.org/”
[INFO] – Start at 09:00:00
[INFO] – Time limit 02:00:00

This will create a job in the Windows Task Scheduler called “win-acme renew…” which, by default, will run at 9AM every day. The command it will run will be something like this:

wacs.exe --renew --baseuri "https://acme-staging-v02.api.letsencrypt.org/"

Note that on a live system it either won’t specify the baseuri or it will point a the live servers, here it is pointing at the test servers.

If you want to manually renew the certificate you can just run the above command at a administrator command prompt. If you want to force the renewal you need to add the –force option, this will cause the certificate to renew even if it’s not at or past the renewal date.

wacs.exe --renew --force --baseuri "https://acme-staging-v02.api.letsencrypt.org/"

The results of this command look like this:

Apache won’t pick up the new certificate until it it restarted, this is something I’ll address in a later post. After a quick restart though you should find that the browser now gets a different certificate to the one it had before (check the certificate thumbprint).

Note, after my first automated certificate refresh I checked the certificate in the browser and to my dismay it reported the old certificate even though Apache was apparently running with the new certificate. I tried restarting Apache but the browser still reported the old certificate. Eventually I tried a Shift-F5 refresh in the browser and wouldn’t you know it the new certificate appeared. It seem the browser (well Chrome at least) will cache a valid certificate.

Automatically Restarting Apache on Certificate Renewal

As mentioned above, Apache won’t automatically pick up a new certificate when it’s renewed it requires a restart. Fortunately Win-acme has the ability to perform this function by letting you run a script after the certificate has been renewed.

Start by creating a folder for certificate scripts, I usually make it peer of the folders that contain my certificates. In there create a file called “ApacheRestart.bat” and add just the following line:

net stop "Apache2.4" & sc start "Apache2.4"

Next, on the step where the win-acme ask you what it should do after the certificate is created rather than choosing option 4 for no additional steps choose option 3 to specify a script to run. Enter the full path to the ApacheRestart.bat script you created and hit enter. Win-acme will then ask what parameters you want to pass to this script and in this case we don’t need any so just hit enter again.

Win-acme now asks if you want to add another installation step, select option 4 for no additional installation steps. Note, if you are adding this step after you’ve already created a certificate then you’ll be asked if you want to overwrite the existing certificate, select Y.

At the end of the certificate creation process you’ll now see the restart script run.

See Also

• https://letsencrypt.org/ – The Let’s Encrypt site
• https://github.com/PKISharp/win-acme – WACS Site (Wiki Home)
• https://community.letsencrypt.org/t/letsencrypt-on-windows-server/27983 – talks about securing Tomcat servers behind Apache