Preparation
The PRTG Administrator Tool Windows desktop application is your friend here.
Go to Custom Configuration and choose port 444.
You cannot use port 80 because it will be used by Let’s Encrypt.
You cannot use port 443 because Let’s Encrypt / Win-Acme will add a 443 binding messing with you.
The PRTG software isn’t maintained anymore so you’ll need a third party script to do much of the certificate copying.
Automatic scheduling via WinACME will need the Administrator username and password.
PRTG automatically redirect port 80 to 444 which means you’re very stuffed for renewal, you’ll have to disable PRTG and then re-enable it again.
https://kb.paessler.com/en/topic/5373-prtg-blocks-port-80-although-i-m-using-ssl-on-port-443-how-to-free-port-80
https://kb.paessler.com/en/topic/61967-prtg-keeps-using-port-80-for-keep-alive-and-interferes-with-the-web-server-on-80
64-bit: HKLM\Software\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver
There, create a new DWORD value with the name:
NoSSLRedirect and value of 1
Download Win ACME:
https://www.win-acme.com/
As of this writing the latest version is 2.1.9.1
https://github.com/win-acme/win-acme/releases/download/v2.2.9.1701/win-acme.v2.2.9.1701.x64.trimmed.zip
Extract it to C:\win-acme
Use Explorer to navigate there.
Run wacs.exe
Before continuing, read PRTG documentation or use AI. Use this script:
https://github.com/andyzib/LetsEncrypt-PRTG/blob/master/win-acme/WACSPost-PRTG.ps1
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (4 currently due)
A: Manage renewals (4 total, 4 in error)
O: More options…
Q: Quit
Please choose from the menu: N
Running in mode: Interactive, Simple
Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan *all* websites.
2: prtg.example.com (1 binding)
Site identifier(s) or <Enter> to choose all: 2
1: prtg.example.com (Site 2)
Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.
P: Pick bindings based on a search pattern
A: Pick *all* bindings
Binding identifiers(s) or menu option: A
1: prtg.example.com (Site 2)
Continue with this selection? (y*/n) – yes
Source generated using plugin IIS: prtg.example.com
Existing renewal: [IIS] prtg.example.com, (any host) – 1 renewal, due now,
1019 errors
Overwrite settings? (y*/n) – yes
Overwriting previously created renewal
Plugin IIS generated source prtg.example.com with 1 identifiers
Plugin Single created 1 order
Source change in order Main detected
Renewing [IIS] prtg.example.com, (any host)
Cached order has status invalid, discarding
[prtg.example.com] Authorizing…
[prtg.example.com] Authorizing using http-01 validation (SelfHosting)
[prtg.example.com] Authorization result: valid
Downloading certificate [IIS] prtg.example.com, (any host)
Store with CertificateStore…
Installing certificate in the certificate store
Adding certificate [IIS] prtg.example.com, (any host) @ 2025/1/8 in store WebHosting
Adding certificate CN=R11, O=Let’s Encrypt, C=US in store CA
Installing with IIS…
Adding new https binding *:443:prtg.example.com
Committing 1 https binding changes to IIS while updating site 2
Scheduled task points to different location for .exe and/or working directory
Scheduled task exists but does not look healthy
Do you want to replace the existing task? (y/n*) – no
Next renewal due after 2025/3/4
Certificate [IIS] prtg.example.com, (any host) created
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (3 currently due)
A: Manage renewals (4 total, 3 in error)
O: More options…
Q: Quit
Please choose from the menu: M
Running in mode: Interactive, Advanced
Source plugin IIS not available: No IIS sites detected.
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.
1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort
How shall we determine the domain(s) to include in the certificate?: <Enter>
Description: A host name to get a certificate for. This may be a
comma-separated list.
Host: prtg.example.com
Source generated using plugin Manual: prtg.example.com
Friendly name ‘[Manual] prtg.example.com’. <Enter> to accept or type desired name: <Enter>
By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.
1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort
Would you like to split this source into multiple certificates?: 4
The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.
1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records manually (auto-renew not possible)
7: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns] Create verification records with your own script
9: [tls-alpn] Answer TLS verification request from win-acme
C: Abort
How would you like prove ownership for the domain(s)?: <Enter>
After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
C: Abort
What kind of private key should be used for the certificate?: <Enter>
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
How would you like to store the certificate?: 2
Description: .pem files are exported to this folder.
File path: C:\win-acme
Description: Password to set for the private key .pem file.
1: None
2: Type/paste in console
3: Search in vault
Choose from the menu: 1
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
Would you like to store it in another way too?: <Enter>
Installation plugin IIS not available: No IIS sites detected.
With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps
Which installation step should run first?: 2
Description: Path to script file to run after retrieving the
certificate. This may be any executable file or a
Powershell (.ps1) script.
File: C:\win-acme\WACSPost-PRTG.ps1
{CertCommonName}: Common name (primary domain name)
{CachePassword}: .pfx password
{CacheFile}: .pfx full path
{CertFriendlyName}: Certificate friendly name
{CertThumbprint}: Certificate thumbprint
{StoreType}: Type of store (e.g. CentralSsl, CertificateStore,
PemFiles, …)
{StorePath}: Path to the store
{RenewalId}: Renewal identifier
{OldCertCommonName}: Common name (primary domain name) of the previously
issued certificate
{OldCertFriendlyName}: Friendly name of the previously issued certificate
{OldCertThumbprint}: Thumbprint of the previously issued certificate
{vault://json/mysecret}: Secret from the vault
Description: Parameters for the script to run after retrieving the
certificate. Refer to
https://win-acme.com/reference/plugins/installation/script
for further instructions.
Parameters: -CertCommonName prtg.example.com -StorePath C:\win-acme -StoreType PemFiles -RestartPRTGCoreService
1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps
Add another installation step?: <Enter>
Plugin Manual generated source prtg.example.com with 1 identifiers
Plugin Single created 1 order
Using cache. To force a new order within 1 days, run with –nocache. Beware that you might run into rate limits.
Downloading certificate [Manual] prtg.example.com
Store with PemFiles…
Exporting .pem files to C:\win-acme
Installing with Script…
Script C:\win-acme\WACSPost-PRTG.ps1 starting with parameters -CertCommonName prtg.example.com -StorePath C:\win-acme -StoreType PemFiles -RestartPRTGCoreService
Script finished
Scheduled task points to different location for .exe and/or working directory
Scheduled task exists but does not look healthy
Do you want to replace the existing task? (y/n*) – yes
Deleting existing task win-acme renew (acme-v02.api.letsencrypt.org) from Windows Task Scheduler.
Adding Task Scheduler entry with the following settings
– Name win-acme renew (acme-v02.api.letsencrypt.org)
– Path C:\win-acme
– Command wacs.exe –renew –baseuri “https://acme-v02.api.letsencrypt.org/”
– Start at 09:00:00
– Random delay 04:00:00
– Time limit 02:00:00
Do you want to specify the user the task will run as? (y/n*) – yes
Enter the username (Domain\username): Administrator
Enter the user’s password: ************
Adding renewal for [Manual] prtg.example.com
Next renewal due after 2025/3/4
Certificate [Manual] prtg.example.com created
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (3 currently due)
A: Manage renewals (5 total, 3 in error)
O: More options…
Q: Quit
Please choose from the menu: