WIN-ACME Installation to get Let’s Encrypt on PRTG

Preparation

The PRTG Administrator Tool Windows desktop application is your friend here.

Go to Custom Configuration and choose port 444.

You cannot use port 80 because it will be used by Let’s Encrypt.

You cannot use port 443 because Let’s Encrypt / Win-Acme will add a 443 binding messing with you.

The PRTG software isn’t maintained anymore so you’ll need a third party script to do much of the certificate copying.

Automatic scheduling via WinACME will need the Administrator username and  password.

PRTG automatically redirect port 80 to 444 which means you’re very stuffed for renewal, you’ll have to disable PRTG and then re-enable it again.

https://kb.paessler.com/en/topic/5373-prtg-blocks-port-80-although-i-m-using-ssl-on-port-443-how-to-free-port-80

https://kb.paessler.com/en/topic/61967-prtg-keeps-using-port-80-for-keep-alive-and-interferes-with-the-web-server-on-80

64-bit: HKLM\Software\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver

There, create a new DWORD value with the name:

NoSSLRedirect and value of 1

Download  Win ACME:

https://www.win-acme.com/

As of this writing the latest version is 2.1.9.1

https://github.com/win-acme/win-acme/releases/download/v2.2.9.1701/win-acme.v2.2.9.1701.x64.trimmed.zip

Extract it to C:\win-acme

Use Explorer to navigate there.

Run wacs.exe

Before continuing, read PRTG documentation or use AI. Use this script:

https://github.com/andyzib/LetsEncrypt-PRTG/blob/master/win-acme/WACSPost-PRTG.ps1

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (4 currently due)
A: Manage renewals (4 total, 4 in error)
O: More options…
Q: Quit

Please choose from the menu: N

Running in mode: Interactive, Simple

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan *all* websites.

2: prtg.example.com (1 binding)

Site identifier(s) or <Enter> to choose all: 2

1: prtg.example.com (Site 2)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick *all* bindings

Binding identifiers(s) or menu option: A

1: prtg.example.com (Site 2)

Continue with this selection? (y*/n) – yes

Source generated using plugin IIS: prtg.example.com

Existing renewal: [IIS] prtg.example.com, (any host) – 1 renewal, due now,
1019 errors

Overwrite settings? (y*/n) – yes

Overwriting previously created renewal

Plugin IIS generated source prtg.example.com with 1 identifiers
Plugin Single created 1 order
Source change in order Main detected
Renewing [IIS] prtg.example.com, (any host)
Cached order has status invalid, discarding
[prtg.example.com] Authorizing…
[prtg.example.com] Authorizing using http-01 validation (SelfHosting)
[prtg.example.com] Authorization result: valid
Downloading certificate [IIS] prtg.example.com, (any host)
Store with CertificateStore…
Installing certificate in the certificate store
Adding certificate [IIS] prtg.example.com, (any host) @ 2025/1/8 in store WebHosting
Adding certificate CN=R11, O=Let’s Encrypt, C=US in store CA
Installing with IIS…
Adding new https binding *:443:prtg.example.com
Committing 1 https binding changes to IIS while updating site 2
Scheduled task points to different location for .exe and/or working directory
Scheduled task exists but does not look healthy

Do you want to replace the existing task? (y/n*) – no

Next renewal due after 2025/3/4
Certificate [IIS] prtg.example.com, (any host) created

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (3 currently due)
A: Manage renewals (4 total, 3 in error)
O: More options…
Q: Quit

Please choose from the menu: M

Running in mode: Interactive, Advanced
Source plugin IIS not available: No IIS sites detected.

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: <Enter>

Description: A host name to get a certificate for. This may be a
comma-separated list.

Host: prtg.example.com

Source generated using plugin Manual: prtg.example.com

Friendly name ‘[Manual] prtg.example.com’. <Enter> to accept or type desired name: <Enter>

By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.

1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort

Would you like to split this source into multiple certificates?: 4

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.

1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records manually (auto-renew not possible)
7: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns] Create verification records with your own script
9: [tls-alpn] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: <Enter>

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: <Enter>

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps

How would you like to store the certificate?: 2

Description: .pem files are exported to this folder.

File path: C:\win-acme

Description: Password to set for the private key .pem file.

1: None
2: Type/paste in console
3: Search in vault

Choose from the menu: 1

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps

Would you like to store it in another way too?: <Enter>

Installation plugin IIS not available: No IIS sites detected.

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps

Which installation step should run first?: 2

Description: Path to script file to run after retrieving the
certificate. This may be any executable file or a
Powershell (.ps1) script.

File: C:\win-acme\WACSPost-PRTG.ps1

{CertCommonName}: Common name (primary domain name)
{CachePassword}: .pfx password
{CacheFile}: .pfx full path
{CertFriendlyName}: Certificate friendly name
{CertThumbprint}: Certificate thumbprint
{StoreType}: Type of store (e.g. CentralSsl, CertificateStore,
PemFiles, …)
{StorePath}: Path to the store
{RenewalId}: Renewal identifier
{OldCertCommonName}: Common name (primary domain name) of the previously
issued certificate
{OldCertFriendlyName}: Friendly name of the previously issued certificate
{OldCertThumbprint}: Thumbprint of the previously issued certificate
{vault://json/mysecret}: Secret from the vault

Description: Parameters for the script to run after retrieving the
certificate. Refer to
https://win-acme.com/reference/plugins/installation/script
for further instructions.

Parameters: -CertCommonName prtg.example.com -StorePath C:\win-acme -StoreType PemFiles -RestartPRTGCoreService

1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps

Add another installation step?: <Enter>

Plugin Manual generated source prtg.example.com with 1 identifiers
Plugin Single created 1 order
Using cache. To force a new order within 1 days, run with –nocache. Beware that you might run into rate limits.
Downloading certificate [Manual] prtg.example.com
Store with PemFiles…
Exporting .pem files to C:\win-acme
Installing with Script…
Script C:\win-acme\WACSPost-PRTG.ps1 starting with parameters -CertCommonName prtg.example.com -StorePath C:\win-acme -StoreType PemFiles -RestartPRTGCoreService
Script finished
Scheduled task points to different location for .exe and/or working directory
Scheduled task exists but does not look healthy

Do you want to replace the existing task? (y/n*) – yes

Deleting existing task win-acme renew (acme-v02.api.letsencrypt.org) from Windows Task Scheduler.
Adding Task Scheduler entry with the following settings
– Name win-acme renew (acme-v02.api.letsencrypt.org)
– Path C:\win-acme
– Command wacs.exe –renew –baseuri “https://acme-v02.api.letsencrypt.org/”
– Start at 09:00:00
– Random delay 04:00:00
– Time limit 02:00:00

Do you want to specify the user the task will run as? (y/n*) – yes

Enter the username (Domain\username): Administrator

Enter the user’s password: ************
Adding renewal for [Manual] prtg.example.com
Next renewal due after 2025/3/4
Certificate [Manual] prtg.example.com created

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (3 currently due)
A: Manage renewals (5 total, 3 in error)
O: More options…
Q: Quit

Please choose from the menu:

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top