The following HowTo was written predating https://github.com/Neilpang/acme.sh and https://commaster.net/content/how-setup-lets-encrypt-apache-windows pages.
Online installation on my server failed due to missing crontab utility. So, to install acme.sh download the full package as zip file from github.com, unpack acme.sh file to a temporary directory and run it:
D:\tmp>sh acme.sh --install --accountemail "youyouremailaddress [dot] com" --force
It is recommended to install crontab first.
We need to set cron job to renew the certs automatically.
Otherwise, your certs will not be able to be renewed automatically.
It is recommended to install nc first, try to install 'nc' or 'netcat'.
We use nc for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore this warning.
Installing to D:/HOME/DEFAULT/.acme.sh
Installed to D:/HOME/DEFAULT/.acme.sh/acme.sh
No profile is found, you will need to go into D:/HOME/DEFAULT/.acme.sh to use acme.sh
crontab doesn't exist, so, we can not install cron jobs.
All your certs will not be renewed automatically.
You must add your own cron job to call 'acme.sh --cron' everyday.
Good, bash is found, so change the shebang to use bash as prefered.
Ignore the errors about cron and nc. We'll setup cron later, while nc is not needed for our purpose. "--accountemail" is the email used to register account to Let's Encrypt and you will receive domain renewal notices here. Default is empty but it is handy. See "sh acme.sh --help" for a list of all the available options.
We assume that Apache web server is serving http, not just https, and document root directory is d:/var/www. The script needs to know where the Apache document root path is as, at issue/renew time, it will create there a temporary directory named /.well-known/acme-challenge/ .
D:\home\default\.acme.sh>sh acme.sh --issue -d www.yourdomain.org -w /var/www --debug
config file is empty, can not read CA_KEY_HASH
Creating account key
Creating domain key
Getting domain auth token for each domain
Getting webroot for domain='www.yourdomain.org'
Getting new-authz for domain='www.yourdomain.org'
Try new-authz for the 0 time.
The new-authz request is ok.
chown: gruppo non valido: "root:UNKNOWN"
Verify finished, start to sign.
... [here you will see the just created certificate]
Your cert is in D:/HOME/DEFAULT/.acme.sh/www.yourdomain.org/www.yourdomain.org.cer
Your cert key is in D:/HOME/DEFAULT/.acme.sh/www.yourdomain.org/www.yourdomain.org.key
The intermediate CA cert is in D:/HOME/DEFAULT/.acme.sh/www.yourdomain/ca.cer
And the full chain certs is there: D:/HOME/DEFAULT/.acme.sh/www.yourdomain.org/fullchain.cer
The " --debug" parameter helps to see what's happening if something goes wrong. If you should get a "Key divisible by small prime" error while registering the account, just delete the .acme.sh directory and rerun all. In my experience, running the process a second or third time always fixes it. Have a look at account.conf if you want to enable the log file, that in any case will be useful later, to verify that cron works as expected.
Following is an extract from my Apache configuration file:
ServerAdmin youyouremailaddress [dot] com
SSLProtocol all -SSLv2
Please note the three lines starting with "SSLCertificate...". The certificates paths issued in the following command line must correspond:
D:\home\default\.acme.sh>sh acme.sh --installcert -d www.yourdomain.org --certpath "D:/etc/letsencrypt/cert.pem" --keypath "D:/etc/letsencrypt/key.pem" --fullchainpath "D:/etc/letsencrypt/fullchain.pem" --reloadcmd "D:/CMD/apache_restart.cmd"
As you can imagine, D:/CMD/apache_restart.cmd is a simple script that restarts Apache, so the new certificate is loaded. This parameter is optional as you can obviously restart Apache manually, but automating the stuff is quite handy when certificate renewal time comes.
No, you don't need to renew the certs manually. All the certs will be renewed automatically every 60 days. However, you can also force to renew any cert:
D:\home\default\.acme.sh>sh acme.sh --renew -d www.yourdomain.org --force
Create an everyday cron job to check and renew the cert when needed:
acme.sh script is under development, so it's strongly recommended to use the latest code.
I still had no occasion to test it, but the following command should update acme.sh to the latest code:
You can also enable auto upgrade:
acme.sh --upgrade --auto-upgrade
If all the above works for you, please consider donating to support the Let's encrypt project: https://letsencrypt.org/
This work is licensed under a Creative Commons Attribution 4.0 International License.