Configuring Free Let's Encrypt SSL on Plesk for Windows
Free, auto-renewing SSL is no longer optional — browsers flag every non-HTTPS site, search engines prefer HTTPS, and modern browser features (HTTP/2, HTTP/3, the Service Worker API, the Clipboard API) refuse to work without it. Let's Encrypt revolutionized the certificate market by making domain-validated SSL certificates free and automated. Plesk for Windows ships with a Let's Encrypt extension that makes the entire workflow — issuance, installation, renewal — one click. This is the complete walkthrough for getting free SSL set up on an ASP.NET site hosted on Plesk for Windows.
What Let's Encrypt is, briefly
Let's Encrypt is a free, non-profit Certificate Authority operated by the Internet Security Research Group (ISRG). They issue Domain-Validated (DV) certificates — the same level of validation that's built into every commercial SSL on the market for the entry tier. The big difference is the issuance process: Let's Encrypt uses the ACME protocol, an automated challenge-response system that lets servers prove they control a domain and receive a certificate without human interaction.
Three things to know about Let's Encrypt certificates:
90-day validity — shorter than commercial CAs (typically 1 year). The short window is deliberate; it forces automation and limits the damage if a key is compromised. Plesk renews automatically every 60 days, so this is invisible in practice.
DV only, not OV or EV — Let's Encrypt verifies you control the domain, not that your business legally exists. For 95% of websites this is exactly the right level. If you need Extended Validation with the company name in the URL bar, that requires a paid commercial CA.
Trusted by every modern browser — ISRG's root certificate is in Mozilla, Apple, Google, and Microsoft trust stores. There is no browser compatibility difference between a Let's Encrypt cert and a paid DV cert for end users.
What you need before starting
An Adaptive Web Hosting plan (or any other Plesk for Windows host)
Your domain's DNS A record pointed at the hosting server's IP. Verify with nslookup yourdomain.com — it must return the hosting IP, not a placeholder or a previous host
Port 80 (HTTP) reachable on the hosting server — the ACME challenge needs HTTP to verify domain ownership
Your Plesk login credentials
That's it. No certificate signing requests to generate, no private key files to manage, no email back-and-forth with a CA.
Step 1 — log in to Plesk
From your hosting welcome email, find your Plesk URL (typically https://cp.adaptivewebhosting.com:8443 or similar). Log in with the credentials supplied at signup.
From the dashboard, navigate to Websites & Domains and select the domain you want to secure. You'll see a row of action buttons across the top — File Manager, FTP Access, Databases, SSL/TLS Certificates, and so on.
Step 2 — locate the SSL/TLS Certificates tool
Click SSL/TLS Certificates from the domain's action row. Plesk shows two sections:
Upload your own certificate — for commercial certs from DigiCert, Sectigo, etc.
Let's Encrypt — the free DV certificate option
On Adaptive Web Hosting plans, the Let's Encrypt extension is pre-installed on every plan. You don't need to add it from the Plesk Marketplace separately.
Step 3 — request the certificate
Click Install on the Let's Encrypt section. A short form appears with these fields:
Email address for ACME notices — renewal failures and expiry warnings will go here. Use a real, monitored address (not your domain's admin@ which might not exist yet)
Domain names to secure — the primary domain is pre-filled. Check the box for www. if your site also serves at the www subdomain
Webmail — check if you want webmail.yourdomain.com secured too
Mail server — check if you have SmarterMail enabled on this plan
Wildcard option — covers *.yourdomain.com in one cert (requires DNS-based validation, not HTTP — we'll get to that)
For the typical "website at the apex + www" case, check the apex and www boxes, fill in your email, and click Get it free.
What happens behind the scenes
Plesk's Let's Encrypt extension automates the ACME protocol exchange:
Generates a fresh RSA or ECDSA key pair for your certificate
Creates a Certificate Signing Request
Submits the CSR to Let's Encrypt's ACME server
Receives a challenge token from Let's Encrypt — a random string
Places the challenge token at http://yourdomain.com/.well-known/acme-challenge/<token> on your IIS site
Notifies Let's Encrypt that the challenge is ready
Let's Encrypt's servers fetch the URL to verify you control the domain
On success, Let's Encrypt issues the signed certificate
Plesk installs the certificate and key into IIS bindings for your site
Plesk schedules an auto-renewal job to repeat steps 1-9 every 60 days
The whole sequence takes 30-90 seconds for the first issuance. Subsequent renewals are silent.
Step 4 — verify the certificate is live
Open your site in a browser, ensuring you use https://:
https://yourdomain.com
You should see:
A padlock icon in the browser address bar
Clicking the padlock shows the certificate issuer as "Let's Encrypt" (specifically "R10" or "R11" intermediate, signed by ISRG Root X1 or X2)
The certificate's "Valid until" date is approximately 90 days from now
If you see "Your connection is not private" or similar, the certificate didn't install correctly — see the troubleshooting section below.
Step 5 — force HTTPS for all traffic
The certificate is installed, but HTTP requests still reach your site at port 80. To redirect all HTTP traffic to HTTPS, you need a redirect rule. Two clean options:
Option A: Plesk Hosting Settings
From your domain's settings page in Plesk, find Hosting Settings — look for a "Permanent SEO-safe 301 redirect from HTTP to HTTPS" toggle. Check it and save. Plesk adds the redirect rule to your site's web.config automatically.
Option B: ASP.NET Core middleware
If you'd rather handle the redirect at the application layer, add this to Program.cs:
app.UseHttpsRedirection();
app.UseHsts(); // adds Strict-Transport-Security header
UseHttpsRedirection handles the redirect; UseHsts tells browsers to remember your site is HTTPS-only for future visits (default 30 days, but configurable).
Use one or the other, not both — double-redirects waste a round-trip per request.
Wildcard certificates for subdomains
If you operate many subdomains (app., api., admin., blog., staging.), issuing one certificate per subdomain is tedious. A wildcard certificate for *.yourdomain.com covers any subdomain in one cert.
Wildcard certs require DNS-based validation — you must prove control over the domain's DNS, not just one HTTP endpoint. The validation process:
Request a wildcard cert via Plesk's Let's Encrypt extension — check the "Wildcard" option
Plesk shows you a TXT record value to add to your DNS
Add the TXT record at your DNS provider (GoDaddy, Cloudflare, Route 53, wherever your DNS lives)
Wait for DNS propagation (typically 1-5 minutes)
Plesk verifies the TXT record and Let's Encrypt issues the wildcard cert
If your domain's DNS is hosted by your registrar, this requires updating a record at the registrar. If your DNS is hosted by Plesk itself (you've delegated DNS to your hosting server), Plesk can write the TXT record directly — even simpler.
Wildcards don't cover the apex (*.yourdomain.com doesn't cover yourdomain.com itself). Include the apex as a Subject Alternative Name in the cert request to cover both.
Auto-renewal: what happens, what to monitor
Plesk's Let's Encrypt extension schedules renewal at roughly 60 days into the 90-day window. The renewal repeats the ACME exchange and replaces the installed certificate without restarting IIS. Users see no interruption.
Failure modes are rare but happen:
DNS changed — if the A record no longer points at this hosting, the HTTP challenge fails
Firewall blocked port 80 — Let's Encrypt can't reach the challenge endpoint
Rate limits hit — if you've issued many certs for the same domain in a short window (Let's Encrypt limits to 50 certs per registered domain per week as of this writing)
The email you provided in Step 3 receives renewal failure notifications. Set a reminder to look at your hosting's certificate status if you change DNS, change registrars, or move firewall rules.
Common troubleshooting
"Failed to verify domain" during issuance
This means Let's Encrypt couldn't reach your site's HTTP endpoint to verify the challenge. Causes:
DNS A record doesn't point at the hosting IP — nslookup yourdomain.com shows wrong value
Port 80 is blocked by a firewall
The site doesn't accept HTTP requests (often because someone already configured "force HTTPS" before having a cert — chicken and egg). Temporarily disable the redirect, get the cert, re-enable.
An existing redirect rule sends /.well-known/acme-challenge/ requests somewhere unexpected. Check web.config rewrite rules.
Certificate installed but browser still shows "Not secure"
Almost always a caching issue. Hard-refresh the page (Ctrl+Shift+R / Cmd+Shift+R). If you've been testing with HTTP, the browser may have cached the connection as HTTP — explicitly type https:// in the address bar. If the issue persists, check that the IIS binding actually uses the new certificate — in Plesk's SSL/TLS Certificates panel, the installed cert should be marked as "Bound to: yourdomain.com" with the certificate name shown.
Mixed-content warnings on HTTPS pages
Your page is served over HTTPS but loads sub-resources (images, scripts, stylesheets) over HTTP. Browsers either block them or downgrade the page to "Not Fully Secure." Fix the resource URLs to use protocol-relative or explicit https:// references. The browser DevTools Console flags every mixed-content URL.
HSTS lock-in after testing
If you enabled HSTS and discover an issue with the cert, the Strict-Transport-Security header tells browsers to refuse HTTP for the configured duration. You can't undo this from your end — users have to wait out the duration or manually clear HSTS state in browser settings. For initial deployments, use a short max-age (e.g. 1 hour) until you've validated everything works, then raise to weeks or months.
Renewal failed and the cert expired
Plesk shows a warning banner on the SSL/TLS Certificates page. Click Renew manually to trigger the ACME flow. If the manual renewal also fails, work through the "Failed to verify domain" causes above — renewal uses the same HTTP challenge as initial issuance.
ASP.NET-specific considerations
Kestrel and the ASP.NET Core Module
On Plesk for Windows + IIS, your ASP.NET Core app runs behind IIS, which terminates SSL at the IIS layer. Kestrel (your app's internal HTTP server) only sees HTTP traffic from the ASP.NET Core Module. This is correct — you don't need to configure TLS inside your ASP.NET Core app at all. The cert lives at the IIS layer.
The implication for your code: when ASP.NET Core needs to know the original request scheme (for redirects or logging), use the X-Forwarded-Proto header. Configure forwarded-headers middleware:
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
Without this, generated URLs may use http:// instead of https:// when your app constructs them from the request context.
HTTP/2 and HTTP/3
IIS 10 on Windows Server 2022 ships with HTTP/2 enabled by default and HTTP/3 support available. Both require HTTPS — HTTP/2 over plain HTTP is supported by the spec but no major browser implements it. Once SSL is installed via Plesk, HTTP/2 and HTTP/3 negotiate automatically with compatible clients. No extra configuration needed.
SignalR over HTTPS
Blazor Server and SignalR-based apps must run over HTTPS in production — WebSocket connections (the default SignalR transport) require a secure context in modern browsers. The Let's Encrypt cert installed via Plesk satisfies this automatically. If your Blazor Server app loses connection immediately after deploy, see our Blazor Server SignalR diagnostic guide — the cert is usually fine, the issue is elsewhere.
Frequently asked questions
Why is Let's Encrypt free? Is there a catch?
Let's Encrypt is operated by a non-profit (Internet Security Research Group) funded by sponsorships from major tech companies (Cisco, Mozilla, Akamai, Google, AWS, Facebook). The mission is universal HTTPS adoption. There is no catch — certificates are issued at the same technical quality as paid commercial DV certs. The free model is sustainable because most of the cost of a CA is verification labor for higher-validation certs (OV, EV) and customer support. Let's Encrypt automates away the verification labor and provides no human support — that's the trade-off.
Are Let's Encrypt certs less secure than paid certs?
No. The cryptographic strength, browser trust, and validation rigor are identical to paid Domain Validation certs. The only differences are validation level (DV vs OV/EV) and certificate lifetime (90 days vs 1 year). For 95% of websites, DV is exactly the right level. Sites that need OV or EV (the company name in the address bar) require paid CAs — banks, large e-commerce, regulated industries.
Does Adaptive Web Hosting include this on every plan?
Yes — the Let's Encrypt extension is pre-installed on every plan from the $9.49 Developer tier up. There's no add-on fee, no "premium SSL" upsell, no upgrade required to get free auto-renewing certificates. The cost of running Let's Encrypt is so low that adding it to every plan is the obvious choice.
Can I use Cloudflare for SSL and skip this?
Yes — Cloudflare's free tier includes SSL for traffic between visitors and Cloudflare's edge. But for the connection from Cloudflare to your origin server, you still want a real cert at the origin. Cloudflare's "Flexible" SSL mode (HTTP origin) is insecure; "Full" or "Full (strict)" requires a cert at your origin, which Let's Encrypt via Plesk provides. The two complement rather than substitute.
What about wildcard certs for many subdomains?
Wildcards work as described in the dedicated section above. One certificate for *.yourdomain.com covers any subdomain. Issuance requires DNS-based ACME challenge (DNS TXT record) rather than HTTP. Plesk's extension handles both methods.
Will my certificate renew if I'm on vacation?
Yes — renewal is fully automated and happens server-side at the 60-day mark. You receive an email confirmation. No action required on your end unless something genuinely breaks (DNS changed, firewall changed, etc.), in which case you'd also receive a failure-notification email.
What happens if I cancel my hosting plan? Does the cert keep working?
The cert is installed on the hosting server. If you cancel the plan, you lose access to the server and the cert renewal stops. The actual certificate file is still valid until its 90-day expiry, but you can't issue a new one without an active hosting plan (or moving to a different host that handles its own Let's Encrypt setup).
Can I export the Let's Encrypt cert to use on another server?
Yes — from Plesk's SSL/TLS Certificates panel, click the cert name and export the certificate + private key as a .pfx file (Windows) or separate .crt and .key files. You can install it on any other server. But it'll still expire in 90 days, and renewal from the other server requires that server to also be the one receiving HTTP challenges to yourdomain.com/.well-known/acme-challenge/ — which usually means the other server should issue its own Let's Encrypt cert rather than reusing the Plesk one.
Bottom line
Free auto-renewing SSL via Let's Encrypt is the modern default for almost every website that doesn't specifically need Organizational or Extended Validation. Plesk for Windows automates the entire workflow: issuance, installation, renewal, and ACME-challenge response. On Adaptive Web Hosting plans, the Let's Encrypt extension is pre-installed on every plan with no add-on cost — from the $9.49 Developer tier up. The browser padlock, HTTP/2, HTTP/3, SignalR WebSockets, and the Service Worker API all just work, automatically.
If you're still paying $50-150/year per domain for a commercial DV certificate that does the same thing, it's time to switch. Every Adaptive Web Hosting plan includes a 30-day money-back guarantee. View hosting plans, see our complete ASP.NET Core deployment walkthrough, or talk to an ASP.NET expert.