WIN-ACME

A simple ACMEv2 client for Windows (for use with Let's Encrypt et al.)

Migration

To migrate to another machine, you may follow these steps.

Pre-migration checklist

  • Decrypt the configuration files.
  • Review settings.json to check if all paths and services configured there are available on/from the new machine.
  • Review firewalls and other security settings to make sure than win-acme will be able to access all the resources it might need for validation (e.g. FTP services, Azure Managed Resource Identity, etc.).

Move program files

The files in the directory that contains wacs.exe can be copied to the new machine. Alternatively you can download the latest release, but in that case make sure to check the upgrade instructions for possible breaking changes to take into account.

Move configuration

Move the configuration files to the new machine. They are stored in the ConfigPath (typically %ProgramData%\win-acme\acme-v02.api.letsencrypt.org, though that can be customized in settings.json). Move these files to new other machine.

Pre-seed certificates

If you’re using HTTP validation directly from the old machine (which is most common scenario), you will have to update your DNS records* before you can validate host names on the new machine

*) Don’t forget the AAAA/IPv6 records when doing so!

That means that in theory you won’t be able to get certificates before you go “live” on the new machine, which is a problem for services that require continuous availability. To work around this you can:

  • Force renew all certificates on the old machine, so that your account will have valid authorizations cached for all domains. Then on the new machine you will be able to (also) renew and order new certificates based on the cached validation results.
  • Move the “old” certificates to the new machine, which is easy to accomplish using the PemFiles, PfxFile or CentralSsl store plugins because they allow you to easily copy over the files. If you’re using the default CertificateStore the process is a bit more difficult though, because you will need to get access to the private keys.

Post-migration checklist

  • Review the renewal manager to see if all expected renewals are present
  • Turn encryption back on (optional, but recommended in most scenarios)
  • Run all renewals to check for potential validation problems on the new machine.
  • If you are using email notifications, test if settings work from the new server using More options... > Test email notification