Here's what I needed to do to get the LetsEncrypt client working on IIS (8.5)

  1. Manually create the well-known folder which is required for Lets-Encyrpt to validate your domain. Create this in the root of your site - e.g. C:\inetpub\wwwroot\.well-known
    (apparently you should create the folder with a trailing '.', e.g. .well-known. – windows will then remove last period)

  2. Add web.config file to the .well-known folder with the following content, this ensures that the page is served correctly as static content and isn't run as a script, it also ensures that this particular folder isn't trying to use any form of Windows authentication :

<?xml version="1.0" encoding="UTF-8"?>
  <validation validateIntegratedModeConfiguration="false" />
   <mimeMap fileExtension=".*" mimeType="text/plain" />
   <mimeMap fileExtension="." mimeType="text/plain" />
   <clear />
   <add name="StaticFile" path="*" verb="*" type=""    modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
    <anonymousAuthentication enabled="true" />
    <windowsAuthentication enabled="false" />
  1. Run [LetsEncrypt Windows client]( (my version is letsencrypt-win-simple.V1.9.6.1). When running I chose manual set up (item 4 on menu) and entered my domain name (so for here that would be and directory path (c:\inetpub\wwwroot), the client should be able to validate your domain and issue your certificate.

  2. You will now need to sort out the bindings if you weren't using SSL before this - open IIS Manager, click on your site from the list and select **Bindings...** on the right. Add https on Port 443, if you only have one site leave the rest blank and click OK. Best to leave http/Port 80 running and use URL Redirect to redirect users to the SSL version.

  3. You will also need to choose the certificate that was created, I think this is done by clicking your server name in IIS Manager and going to Server Certificates.

  4. The certificate will last 3 months and the Let-Encrypt client should auto-renew, I'm not sure how automated this will be - on linux automated renewal works pretty seemlessly)