12
Oct
2017
1

Let’s encrypt certificate for PRTG on Windows Server

With letsencrypt-win-simple it’s easy to install Let’s encrypt certificate on IIS or Apache. But because PRTG uses it’s own web server, procedure is quite different.

Prerequisites

  1. letsencrypt-win-simple – https://github.com/Lone-Coder/letsencrypt-win-simple/releases
  2. PRTG Certificate Importer – https://www.paessler.com/tools/certificateimporter
  3. IIS or other web server

At first, download letsencrypt-win-simple and PRTG Certificate Importer and unpack letsencrypt-win-simple .zip archive to some folder (e.g. to C:\letsencrypt-win-simple).

Because PRTG web server doesn’t allow hosting any custom pages, you need to setup a different web server on the same domain on port 80. At first, create a website in IIS with same domain name as your PRTG server uses (e.g. prtg.mata.com.hr), and point to some folder (e.g. C:\inetpub\wwwroot). Location of this folder is irrelevant, you don’t need to point to PRTG webroot folder. If you start IIS site now, you’ll probably get this error:

IISerror

Even if your PRTG is configured for HTTPS and listen on port 443, it also listens on port 80 by default (hint: knowledge base). So stop the Core Server by click on Stop Core Server in Service Start/Stop tab in PRTG Administration Tool.

Stop PRTG Core Server

Go to Web Server tab and choose Secure HTTPS Server option. Click Save & Close.

prtghttps

Then start the IIS site and be sure it can be accessed from Internet. Now start letsencrypt.exe.

letsencrypt

Choose N: Create new certificate, and then 4: Manually input host names. Enter desired hostnames (e.g. prtg.mata.com.hr), then location to your web site root folder (e.g. C:\inetpub\wwwroot) and press Enter. Letsencrypt.exe will create file in .well-known\acme-challenge\<some_random_hash>. Be sure you can access it from the Internet by opening it in your browser: (e.g. prtg.mata.com.hr/.well-known/acme-challenge/<some_random_hash>). By default, IIS doesn’t know how to open files without extension, so add this MIME Type in your site in IIS:

addmimetype

If letsencrypt can reach the file, it will create certificate and put it in the C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org folder. You should find this three files which represents certificate:

<domain_name>-crt.der
<domain_name>-crt.pem
<domain_name>-key.pem

There will be also <domain_name>-all.pfx which is easiest to import in Windows.

Now you can stop IIS site and start PRTG Server by clicking on Start Core Server in Service Start/Stop tab in PRTG Administration Tool.

Then open PRTGCertImporter.exe.

prtgcertimporter

If you have imported .pfx you can pick certificate from Windows Certificate Store or paste certificate from <domain_name>-crt.pem file. Click Next Step and paste Private key from <domain_name>-key.pem.

prtgcertimporter

Click Next Step. You should see this:

prtgcertimporter

Now click Finish and confirm to restart PRTG Server. Wait until PRTG Server restarts and that’s it.

Before end

By default, letsencrypt.exe will create task in Task Scheduler to autorenew certificate. Although it’s a useful option, it will not work as well. Remember, we stop the IIS server, so letsencrypt can’t access hash in .well-known/acme-challenge/ folder. On the other side, you have to manually import certificate in PRTG. Option is to turn off PRTG listener on port 80 (hint: knowledge base), but then PRTG will be available only with https:// in URL.

1

6 Responses

  1. Mike

    How did you fix your issue Jerin?

    I attempted the original steps and accepted the terms of service for letsencrypt and it says it failed and didn’t have permission. I wonder if this is the issue he ran into. Maybe it’s a folder rights permission. I’m not entirely sure.

    Thanks,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.