In short
You can install a free Let's Encrypt SSL certificate on IIS by using win-acme on a Raff Windows VPS. The clean workflow is: confirm IIS is installed, make sure the IIS site has a real hostname binding, point DNS to the VPS, open ports 80 and 443, run win-acme, let it create the HTTPS binding, and verify the automatic renewal task. Do not start with certificate issuance. Start with IIS, DNS, and firewall.
Quick verdict
| Situation | What to do |
|---|---|
| IIS site already works over HTTP | Proceed to DNS and win-acme validation |
| Site only has blank IIS bindings | Add a hostname binding first |
| DNS still points to old server | Fix DNS before requesting the certificate |
| Port 80 is closed | Open HTTP first; Let's Encrypt HTTP-01 validation needs it |
| Port 443 is closed | Open HTTPS before final browser testing |
| win-acme is in Downloads | Move it to a permanent folder such as C:\Tools\win-acme |
| Renewal task is missing | Recreate or repair the win-acme renewal setup |
The certificate setup is usually simple, but only after DNS, firewall, and IIS bindings are correct.
What we tested on Raff
We tested the IIS and win-acme preparation workflow on a Raff Windows VPS running Windows Server with IIS installed.

Test environment:
| Item | Value |
|---|---|
| Provider | Raff Technologies |
| OS | Windows Server 2025 Datacenter Evaluation |
| Web server | IIS 10 |
| ACME client | win-acme 2.2.9.1701 |
| Validation method | HTTP-01 / IIS workflow |
| Test date | 2026-05-26 |
| Tester | Serdar Tekin |
In the lab, we verified:
- IIS installed and running
- IIS bindings visible from PowerShell
- Windows Firewall rules for HTTP and HTTPS
- win-acme downloaded and running
- win-acme connection to Let's Encrypt
- the expected certificate creation and IIS binding flow
Some certificate creation screenshots in this guide are illustrative examples. In production, use your real hostname and verify DNS before requesting a certificate.
What you'll need
- A Raff Windows VPS with Windows Server 2022 or Windows Server 2025
- Local administrator access over RDP
- IIS installed with at least one working site
- A public domain or subdomain, such as
app.example.com - DNS access for that domain
- TCP 80 and TCP 443 open in Windows Firewall
- Latest win-acme x64 build
- 30-45 minutes for the first setup
This guide assumes the IIS site already works over plain HTTP before you request the certificate.
Step 1 - Confirm IIS is installed
Open PowerShell as Administrator.
Get-WindowsFeature -Name Web-Server Get-Service W3SVC
Expected result:
Web-Server Installed W3SVC Running
If IIS is not installed, install it:
Install-WindowsFeature -Name Web-Server -IncludeManagementTools
Then confirm the IIS service is running:
Get-Service W3SVC
If you are hosting ASP.NET Core, install the .NET Hosting Bundle before certificate setup.
Step 2 - Confirm the site has IIS bindings
win-acme reads IIS bindings. Check current bindings:
Import-Module WebAdministration Get-WebBinding | Select-Object protocol, bindingInformation

A blank binding looks like this:
http *:80: https *:443:
For Let's Encrypt, a hostname-specific binding is better:
http *:80:app.example.com https *:443:app.example.com
If your site has no hostname binding, add one:
New-WebBinding -Name "Default Web Site" -Protocol http -Port 80 -HostHeader "app.example.com"
Replace:
Default Web Site
with your IIS site name, and replace:
app.example.com
with your real hostname.
Verify again:
Get-WebBinding -Name "Default Web Site" | Select-Object protocol, bindingInformation
Do not continue until the IIS site has the hostname you plan to secure.
Step 3 - Point DNS to your Raff VPS
In your DNS provider, create or verify this record:
| Type | Name | Value |
|---|---|---|
| A | app | Your Raff VPS public IP |
Then verify DNS from the server:
Resolve-DnsName app.example.com

You can also verify from your local computer:
nslookup app.example.com
The returned IP must match the public IP shown in your Raff dashboard.
Do not continue if DNS still points to the old server. Let's Encrypt will validate the hostname you request. If DNS points somewhere else, validation fails or validates the wrong machine.
Step 4 - Open ports 80 and 443
HTTP validation needs port 80 reachable from outside. HTTPS traffic needs port 443 reachable from outside.
Enable the built-in IIS firewall rules:
Enable-NetFirewallRule -DisplayName "World Wide Web Services (HTTP Traffic-In)" Enable-NetFirewallRule -DisplayName "World Wide Web Services (HTTPS Traffic-In)"
Confirm the rules are enabled:
Get-NetFirewallRule -DisplayName "World Wide Web Services (*Traffic-In)" | Select-Object DisplayName, Enabled, Direction, Action

Expected result:
World Wide Web Services (HTTP Traffic-In) True Inbound Allow World Wide Web Services (HTTPS Traffic-In) True Inbound Allow
From your local machine, test port 80 before requesting the certificate:
Test-NetConnection app.example.com -Port 80
Expected result:
TcpTestSucceeded : True
If this returns False, fix firewall, DNS, or IIS before running win-acme.



