Configure Lets Encrypt on WAMP Server

Server Management Service

Are you trying to configure Let's Encrypt in WAMP server?

This guide is for you.

Let's Encrypt is a certificate authority (CA) that allows you to create a free SSL certificate for your domains.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to set up let's encrypt SSL Certificates on their Server and Websites.

In this context, we will look into how to set up Let's Encrypt in the WAMP server.

More information about Let's Encrypt?

As earlier stated, Let's Encrypt is a free, automated, and open Certificate Authority (CA) which provides free TLS/SSL certificates. These certificates help in encrypting communication between the web server and your users. It is popularly used by majority of Webmasters to secure their website.

Enabling SSL encryption on a website provides many benefits including securing user information.

The process of Enabling Let's Encrypt in WAMP server?

Now let us take a look at how our Support Experts enable Let's Encrypt in the WAMP server.

1. Enable SSL (HTTPS)

The latest Wamp 64 has already included Open SSL built-in. So we need not install the Open SSL. We can simply enable it by following the below steps.

Start by opening httpd.conf file and uncomment the following lines:

LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Then, open the php.ini file and uncomment the following line.

extension=php_openssl.dll

2. Adding a virtual host for your website

We open httpd-vhosts.conf file and add a virtual host running on HTTP (port 80) for the website, below is an example:

<VirtualHost *:80>

ServerName mydomain.com

ServerAlias www.mydomain.com

DocumentRoot “c:/wamp/www/www.mydomain.com”

<Directory “c:/wamp/www/www.mydomain.com/”>

Options Indexes FollowSymLinks

AllowOverride all

Order Deny,Allow

Allow from all

Require all granted

</Directory>

ErrorLog “logs/mydomain.com-error.log”

CustomLog “logs/mydomain.com-access.log” common

Alias /.well-known c:/wamp/www/www.mydomain.com/.well-known

</VirtualHost>

Here, a .well-known folder will be used to store a key to challenge with Let’s Encrypt server for creating the free SSL certificate.

In order to check if we have made the right syntax, we open the command prompt and go to the Apache bin folder and run the below command.

httpd -t

If the syntax is correct then we restart the Apache server. Then we check the website on the browser.

3. Download the letsencrypt-win-simple from Github

Since the official letsencrypt-auto script does not support Windows, we will use a third-party tool called letsencrypt-win-simple, which runs specifically for the Windows platform.
So we download the zip file and extract the details in C:\ Folder which will look once extracted like this “C:\letsencrypt-win-simple\”.

4. Obtain an SSL certificate (Test Run)

Now, we open the command prompt and navigate to the letsencrypt-win-simple folder.

cd C:\letsencrypt-win-simple

Then we run the letsencrypt tool to generate a certificate for our domain in test mode. The generated certificates will not count against the rate limit by using the test mode.
letsencrypt.exe –manualhost <domain-name> –webroot <document-root> –test

If successfully the certificate generates then a similar message as below will appear;

Authorizing Identifier <domain-name> Using Challenge Type http-01

Writing challenge answer to <document-root>\.well-known/acme-challenge/<challenge-text>

Answer should now be browsable at <document-root>/.well-known/acme-challenge/<challenge-text>

Submitting answer

Refreshing authorization

Authorization Result: valid

Requesting Certificate

Request Status: Created

Saving Certificate to C:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\httpsacme-stage.api.letsencrypt.org\<domain-name>-crt.der

Saving Issuer Certificate to D:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\httpsacme-stage.api.letsencrypt.org\ca-<hex>-crt.pem

Saving Certificate to D:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\httpsacme-stage.api.letsencrypt.org\<domain-name>-all.pfx

5. Obtain an SSL certificate (Actual Run)

We proceed to this step only if the test generation is successful. Now we generate the actual certificate by removing the –test argument from the command;

letsencrypt.exe –manualhost <domain-name> –webroot <document-root>

Finally, the tool will create a scheduled task that will run every 9.00 am in the morning. Generally, Let’s Encrypt certificates are issued with a validity of 90 days. This task will help to renew the certificates within 30 days before expiry.

6. Configure Apache to use the SSL certificate

Now we configure an SSL-enabled virtual host for the domain. In the virtual host configuration, we specify the path to the certificate file, certificate key file, and the certificate chain (issuer certificate) file.

We recommend redirecting all the HTTP traffic to the HTTPS site with the correct domain name of the certificate.
Here is an example of a partial Apache configuration. On the non-SSL virtual host:

ServerAdmin admin@ibmimedia.com

ServerName www.ibmimedia.com

RewriteEngine On

# Redirect to the HTTPS site

RewriteCond %{HTTPS} off

RewriteRule ^/?(.*)$ https://www.ibmimedia.com/$1 [NE,L,R=301]

</VirtualHost>

On the SSL virtual host:

ServerAdmin admin@ibmimedia.com

ServerName www.ibmimedia.com

RewriteEngine On

# Redirect to the correct domain name

RewriteCond %{HTTP_HOST} !^www.ibmimedia.com$ [NC]

RewriteRule ^/?(.*)$ https://www.ibmimedia.com/$1 [NE,L,R=301]

Alias /.well-known C:/wamp/www/.well-known

SSLEngine on

SSLCertificateFile “C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/www.ibmimedia.com-crt.pem”

SSLCertificateKeyFile “C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/www.ibmimedia.com-key.pem”

SSLCertificateChainFile “C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/ca-www.ibmimedia.com-crt.pem”

</VirtualHost>

7. Opening the Port in Windows Firewall Security in Windows Machine

We search for Windows Firewall Security for Windows and open it. Then we click on Inbound Rule, and follow the below steps:
i. First, we click on New Rule from the right panel.
ii. Next, we select the Port and hit Next.
iii. Then we click on TCP and Give a Specific Port number as 443,80.
iv. Allow all connection.
v. After that, we check on Domain, private and Public.
vi. Also, we give the respective name and Click Finish.
vii. And then, we repeat the same steps for Outbound Rules and Finish.