With letsencrypt-win-simple it’s easy to install Let’s encrypt certificate on IIS or Apache. But because PRTG uses it’s own web server, procedure is quite different.
- letsencrypt-win-simple – https://github.com/Lone-Coder/letsencrypt-win-simple/releases
- PRTG Certificate Importer – https://www.paessler.com/tools/certificateimporter
- IIS or other web server
At first, download letsencrypt-win-simple and PRTG Certificate Importer and unpack letsencrypt-win-simple .zip archive to some folder (e.g. to C:\letsencrypt-win-simple).
Because PRTG web server doesn’t allow hosting any custom pages, you need to setup a different web server on the same domain on port 80. At first, create a website in IIS with same domain name as your PRTG server uses (e.g. prtg.mata.com.hr), and point to some folder (e.g. C:\inetpub\wwwroot). Location of this folder is irrelevant, you don’t need to point to PRTG webroot folder. If you start IIS site now, you’ll probably get this error:
Even if your PRTG is configured for HTTPS and listen on port 443, it also listens on port 80 by default (hint: knowledge base). So stop the Core Server by click on Stop Core Server in Service Start/Stop tab in PRTG Administration Tool.
Go to Web Server tab and choose Secure HTTPS Server option. Click Save & Close.
Then start the IIS site and be sure it can be accessed from Internet. Now start letsencrypt.exe.
Choose N: Create new certificate, and then 4: Manually input host names. Enter desired hostnames (e.g. prtg.mata.com.hr), then location to your web site root folder (e.g. C:\inetpub\wwwroot) and press Enter. Letsencrypt.exe will create file in .well-known\acme-challenge\<some_random_hash>. Be sure you can access it from the Internet by opening it in your browser: (e.g. prtg.mata.com.hr/.well-known/acme-challenge/<some_random_hash>). By default, IIS doesn’t know how to open files without extension, so add this MIME Type in your site in IIS:
If letsencrypt can reach the file, it will create certificate and put it in the C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org folder. You should find this three files which represents certificate:
There will be also <domain_name>-all.pfx which is easiest to import in Windows.
Now you can stop IIS site and start PRTG Server by clicking on Start Core Server in Service Start/Stop tab in PRTG Administration Tool.
Then open PRTGCertImporter.exe.
If you have imported .pfx you can pick certificate from Windows Certificate Store or paste certificate from <domain_name>-crt.pem file. Click Next Step and paste Private key from <domain_name>-key.pem.
Click Next Step. You should see this:
Now click Finish and confirm to restart PRTG Server. Wait until PRTG Server restarts and that’s it.
By default, letsencrypt.exe will create task in Task Scheduler to autorenew certificate. Although it’s a useful option, it will not work as well. Remember, we stop the IIS server, so letsencrypt can’t access hash in .well-known/acme-challenge/ folder. On the other side, you have to manually import certificate in PRTG. Option is to turn off PRTG listener on port 80 (hint: knowledge base), but then PRTG will be available only with https:// in URL.2