Building a FREE Windows based web server — with a Lets Encrypt SSL certificate in AWS


Why are you doing this ?

A client asked me to help with some enterprise software in Amazon Web Services (AWS). I haven't touched Windows Server in anger for over a decade and really never imagined I ever would again. This is despite long ago being one of the first Microsoft Certified Systems Engineers in the UK. My certification has long expired and I have absolutely no intention of taking it again but this is an interesting project in an industry vertical I know well, with people I really like. So I thought I'd build out my own private Windows Server infrastructure on AWS first, in order to see what I was letting myself in for.

What I was able to do

  • Set up a FREE tier eligible AWS account with a new domain name and email address.
  • Install Windows Server 2019 in an Amazon EC2 instance, securely.
  • Install Internet Information Server, Microsoft's venerable web server.
  • Add a Let's Encrypt SSL certificate, trusted and supported by all major browsers.
  • Set the Let's Encrypt SSL certificate to auto renew through a scheduled task.
  • Replace Internet Explorer (IE) with Chrome as the default browser on the Server because IE is so utterly unusable now that it is laughable that it is provided with Windows Server at all.

TL:DR — It is relatively simple to set up a FREE Windows Server based web server with a Lets Encrypt SSL certificate in AWS. There are a few hurdles to jump over but once you get past them it works fine.

Building a FREE Windows web server — with a Lets Encrypt SSL certificate in AWS


Before you start

If you want to try this you should be aware that you can get a FREE year of AWS Amazon Elastic Compute Cloud (EC2) by signing up for AWS with a new account. The EC2 instance you can build and run for free is not going to win any prizes for Windows Server performance but it can run 24x7 for free for a year and is perfectly good enough to test out your Windows Server administration skills. (See links below for details of what is free tier eligible).

Installation and testing

Create your AWS environment

The first thing you need to do is create a nice new AWS account in order to take advantage of a free 750 hours per month of EC2 for 12 months offer. If you have had an existing AWS account for more than 12 months you can't do this so it is worth spending the time to set up a new one. It is pretty simple to do. Just create a new domain name, with a working email address at your favourite webhost, and use it to sign up for AWS. Once you have signed up you have everything you need to get going in a low cost test environment.

Now you have your new AWS account set up you can deploy a Windows Server Amazon Machine Image (AMI) into an instance type that is supported by the free tier. The AWS console clearly identifies these instances. They are either t2.micro or t3.micro instances dependent on region. Choose wisely otherwise your Windows Server AWS costs will end up on your credit card bill!

Install Windows Server 2019 in an Amazon EC2

  • Once you have created your account you can visit the AWS console.
  • I created a regular user in addition to the root user and added the user to a group with full access to Amazon EC2, and nothing else.
  • I then made sure my user is set for Multi factor authentication (MFA) using a USB security key - I chose a (a - Yubikey USB-C security key).
  • In the AWS console, type EC2 in the search bar (you can click the star to add it as a favourite so you can easily load it again. Load the EC2 management console. From here you can choose an AMI from the Applications and OS images section.
    Screenshot of AWS Console 'Launch an instance' page highlighting the 'free tier eligible' Windows Server 2019 Amazon Machine Instance
    AWS Console 'Launch an instance' page highlighting the 'free tier eligible' Windows Server 2019 Amazon Machine Instance
  • Click 'Windows' and scroll through the quick starts until you find the AMI you wish to try. I need Windows Server 2019 for this installation. Note that it is 'free tier eligible' only if you choose a t2.micro instance in my particular AWS region.
  • Click 'Launch Instance'
  • in a short while your instance will be running. Select the instance in the console and click 'Actions --> Connect'
    Screenshot of EC2 Console showing how to connect to an instance.
    EC2 Console showing how to connect to an instance.
  • You will need to decrypt the password, or already have previously done so. Download the remote desktop shortcut and double click on it to open a connection to your new Windows Server.
    Screenshot showing how to download a Microsoft Remote Desktop (RDP) connection profile which will enable you to connect to your new servers Windows user interface.
    How to download a Microsoft Remote Desktop (RDP) connection profile which will enable you to connect to your new servers Windows user interface.

Install Internet Information Server

  • IIS doesn't seem to have really changed for decades. Our Windows Server is a full installation so just run 'Server Manager', choose 'Add roles and features', skip the 'before you begin' screen by clicking 'Next' and then on the 'Select installation type' screen, select 'Role-based or feature-based installation' and click 'Next' again and then 'Add Features' on the resulting dialog box.
  • You can click through the complexity of the 'Server selection' screen, as this is the only server.
  • Now on the 'Select server roles' screen you need to just check 'Web Server (IIS)' and click 'Next' again. Some more features may be needed, just click theough the 'Next' buttons until you reach the end of this so called 'wizard' and reach an 'Install' button. Finally IIS will be added to your server.

Add a Let's Encrypt SSL certificate

  • Download the win-acme client for Windows, which is a Windows client for Let's Encrypt, the industry standard and nowadays the best practice for SSL certificates supported in all major browsers and sponsored by the major titans of the software industry.
  • Let's Encrypt certificates are free and fabulous. Theres absolutely no reason to buy certificates or use self signed certificates anymore.
  • Point your Internet domain at the External IP address of your Windows Server. (An Elastic IP address is better for the longer term, but not essential for this stage).
  • Now Follow the command line defaults for IIS to validate your IP address and set up then store your certificate and you'll be running in no time!
    screenshot of win-acme at
  • It could not be easier, and certificates can be hard!
  • Remember to enable the automatic renewal capability, and provided your Windows server can access the Internet you can forget aboutmanually managing SSL certificate renewal.
  • At this point you should be able to access your server, using https, with a padlock in the browsers, from the Internet.
  • To access it correctly from itself, instead of via localhost, add an entry to the hosts file, usually in C:\windows\system32\drivers\etc for the domain to which you registered the certificate. Local domain resolution goes via the hosts file first, before attempting a DNS lookup and this is perfectly fine for a single Windows Server lab type environment. You can install Chrome to test everything is how you expect it to be.

Replace Internet Explorer with Google Chrome as the default browser

You can't do this manually for large scale deployments, where you should use AWS Code Deploy or Windows policy management. For a lab server though theres an easy manual powershell command which can install Google Chrome.

Run this Powershell Command as Administrator. Read it first obviously. It downloads and runs the Chrome installer, silently, waits till it finished and cleans up. I found it at the cited link. It isn't my code so it isn't subject to my code licencing! It works though. Nice job!

$LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; 
(new-object System.Net.WebClient).DownloadFile('', "$LocalTempDir\$ChromeInstaller"); 
& "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor =  "ChromeInstaller"; 
Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; 
If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } 
else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } }
Until (!$ProcessesFound) —


See also: