I have an IIS 10 server behind a VPN/Firewall, and was bound and determined to use Let's Encrypt even though the server can't be reached by Let's Encrypt to authorize the SSL certificate request.
I ran across www.zerossl.com, but was very confused has how to successfully complete the process. Here's my suggestions that allowed me to get it working:
- In IIS, create a Certificate Request (CR). Copy the contents of the CR to the clipboard.
- Start the Free SSL Cert process on zerossl.com
- Leave the domains box blank, paste in the CR from above
- Click next to have zerossl create the LetsEncrypt key (on the left side)
- SAVE the LetsEncrypt Key that it creates for you (you'll need this for renewals)
- Click next to have the certificate generated
- The cert generated will contain TWO keys. Save its entire contents, but then make a SEPARATE .cer (txt) file that contains ONLY the first key from cert generated.
- Return to IIS, use the Complete Certificate Request wizard.
- Provide your .cer file that ONLY has the first key in it.
- Finish the wizard and then handle your site binding(s) per usual.
Rock n' roll.
Hope this helps someone in the future.