installer un certificat letsencrypt dans exchange

Prepare the Let’s Encrypt Win-ACME client

There is a list of ACME clients offered by third parties to use. We are going to use Windows ACME Simple (WACS). A simple ACME client for Windows – for use with Let’s Encrypt. It will automatically renew your certificates, so after you install and configure it, you’ll have a continually-secured web server.

Download Win-ACME from GitHub or the official website. At the moment of writing, the file is win-acme.v2.1.7.807.x64.pluggable.zip. Create a folder named Lets Encrypt in C:\Program Files. Extract the files in the .zip to the folder C:\Program Files\Lets Encrypt.

You can use Win-ACME from the interactive menu or unattended mode (command line). With the command line, you don’t have to jump through the menus. Both will work, and it’s good to learn both ways.

Install Let’s Encrypt certificate in Exchange Server

After downloading and extracting the files, we are going to configure Let’s Encrypt certificate. We are going to show both the interactive menu and command line in the next steps.

Right-click the application wacs. Click run as administrator to start the application.

Win-ACME client window will show up. Type M to create a renewal certificate (full option) and press Enter.

 A simple Windows ACMEv2 client (WACS)
 Software version 2.1.7.807 (RELEASE, PLUGGABLE)
 ACME server https://acme-v02.api.letsencrypt.org/
 IIS version 10.0
 Running with administrator credentials
 Scheduled task not configured yet
 Please report issues at https://github.com/win-acme/win-acme

 N: Create renewal (default settings)
 M: Create renewal (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: M

Running in mode: Interactive, Advanced

  Please specify how the list of domain names that will be included in the
  certificate should be determined. If you choose for one of the "all bindings"
  options, the list will automatically be updated for future renewals to
  reflect the bindings at that time.

 1: IIS
 2: Manual input
 3: CSR created by another program
 C: Abort

 How shall we determine the domain(s) to include in the certificate?: 2

Enter a comma-separated list of hostnames. Have a look at your Exchange hostnames and fill them in. Have you configured the Exchange Server hostnames correctly? There should be no internal names, for example, EX01-2016. Have a look at the article Exchange namespace design and planning. I recommend keeping the same namespace for the internal DNS and external DNS.

In my example, I will be using mail.exoip.com and autodiscover.exoip.com. After that, press Enter.

Enter comma-separated list of host names, starting with the common name: mail.exoip.com,autodiscover.exoip.com

We will not enter anything for the suggested friendly name. Press Enter to continue.

Target generated using plugin Manual: mail.exoip.com and 1 alternatives

 Suggested friendly name '[Manual] mail.exoip.com', press  to accept or type an alternative:

The Let’s Encrypt ACME client will connect with Let’s Encrypt on port 80 through the firewall to request a certificate. If you don’t have port 80 enabled, do that before proceeding. Learn more about network ports for clients and mail flow in Exchange.

We don’t have to enable port 80 on the Exchange Server. We can use port 443, which is option 9 – TLS-ALPN-01. To handle the challenge correctly, we cannot go through the HTTP stack. We need direct control (exclusive access) over port 443, meaning that IIS needs to be shut down for it to work.

You don’t want to shut down IIS whenever requesting or updating the Exchange certificate. That’s why we did enable port 80 in the firewall and choose option 2.

The ACME server will need to verify that you are the owner of the domain
  names that you are requesting the certificate for. This happens both during
  initial setup *and* for every future renewal. There are two main methods of
  doing so: answering specific http requests (http-01) or create specific dns
  records (dns-01). For wildcard domains the latter is the only option. Various
  additional plugins are available from https://github.com/win-acme/win-acme/.

 1: [http-01] Save verification files on (network) path
 2: [http-01] Serve verification files from memory
 3: [http-01] Upload verification files via FTP(S)
 4: [http-01] Upload verification files via SSH-FTP
 5: [http-01] Upload verification files via WebDav
 6: [dns-01] Create verification records manually (auto-renew not possible)
 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 8: [dns-01] Create verification records with your own script
 9: [tls-alpn-01] Answer TLS verification request from win-acme
 C: Abort

 How would you like prove ownership for the domain(s)?: 2

Type 2 for RSA key and press Enter.

  After ownership of the domain(s) has been proven, we will create a
  Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
  determines properties of the certificate like which (type of) key to use. If
  you are not sure what to pick here, RSA is the safe default.

 1: Elliptic Curve key
 2: RSA key
 C: Abort

 What kind of private key should be used for the certificate?: 2

Choose option 3 to store the certificate in the Windows Certificate Store and press Enter.

 When we have the certificate, you can store in one or more ways to make it
  accessible to your applications. The Windows Certificate Store is the default
  location for IIS (unless you are managing a cluster of them).

 1: IIS Central Certificate Store (.pfx per domain)
 2: PEM encoded files (Apache, nginx, etc.)
 3: Windows Certificate Store
 4: No (additional) store steps

 How would you like to store the certificate?: 3

Type 3 as we don’t need to store it another way and press Enter.

 1: IIS Central Certificate Store (.pfx per domain)
 2: PEM encoded files (Apache, nginx, etc.)
 3: No (additional) store steps

 Would you like to store it in another way too?: 3

Select 1 to create or update https bindings in IIS and press Enter.

With the certificate saved to the store(s) of your choice, you may choose one
  or more steps to update your applications, e.g. to configure the new
  thumbprint, or to update bindings.

 1: Create or update https bindings in IIS
 2: Create or update ftps bindings in IIS
 3: Start external script or program
 4: No (additional) installation steps

 Which installation step should run first?: 1

Type 1 for Default Web Site and press Enter

 1: Default Web Site
 2: Exchange Back End

 Choose site to create new bindings: 1

Type 2 to start external script or program and press Enter

 1: Create or update ftps bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps

 Add another installation step?: 2

Add the PowerShell script path ./Scripts/ImportExchange.ps1 and press Enter. The download of ACME includes the script. Have a look in the ACME scripts folder.

 Full instructions:  https://www.win-acme.com/reference/plugins/installation/script

 Enter the path to the script that you want to run after renewal: ./Scripts/ImportExchange.ps1

Add the following parameters, including the services IIS, SMTP, and IMAP. Press Enter.

 {CertCommonName}:    Common name (primary domain name)
 {CachePassword}:     .pfx password
 {CacheFile}:         .pfx full path
 {CertFriendlyName}:  Certificate friendly name
 {CertThumbprint}:    Certificate thumbprint
 {StoreType}:         Type of store (CentralSsl/CertificateStore/PemFiles)
 {StorePath}:         Path to the store
 {RenewalId}:         Renewal identifier

 Enter the parameter format string for the script, e.g. "--hostname {CertCommonName}": '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

We don’t need to add another installation step. Press 2 and press Enter.

 1: Create or update ftps bindings in IIS
 2: No (additional) installation steps

 Add another installation step?: 2

Enter your email and press Enter.

 Enter email(s) for notifications about problems and abuse (comma seperated): info@alitajran.com

Press n to not open the terms of service and press Enter. We can always look at the terms of service by opening the PDF file in File Explorer.

Terms of service:   C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

 Open in default application? (y/n*) n

Press y to agree with the terms and press Enter.

Do you agree with the terms? (y*/n) y

The output will show that it’s configuring the Let’s Encrypt certificate.

 Authorize identifier autodiscover.exoip.com
 Authorizing autodiscover.exoip.com using http-01 validation (SelfHosting)
 Authorization result: valid
 Authorize identifier mail.exoip.com
 Authorizing mail.exoip.com using http-01 validation (SelfHosting)
 Authorization result: valid
 Requesting certificate [Manual] mail.exoip.com
 Store with CertificateStore...
 Installing certificate in the certificate store
 Adding certificate [Manual] mail.exoip.com @ 2020/5/24 21:32:31 to store WebHosting
 Installation step 1/2: IIS...
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 No bindings have been changed
 Installation step 2/2: Script...
 Script C:\Program Files\Lets Encrypt\Scripts\ImportExchange.ps1 starting with parameters 'F9028D2813D9FFA48CAFD7968955844BB7A8AD0B' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\QhaVTHo0PUmJk1Pnz2PgwQ-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx' 'dDGEM7Fsu68WaKWjT7bWhK6Q8A2QNEEqgLBiQoWymlE=' '[Manual] mail.exoip.com @ 2020/5/24 21:32:31'
 Script finished
 Adding Task Scheduler entry with the following settings
 - Name win-acme renew (acme-v02.api.letsencrypt.org)
 - Path C:\Program Files\Lets Encrypt
 - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 - Start at 09:00:00
 - Time limit 02:00:00

We don’t want to specify a user for the task to run. Press n and press Enter. The SYSTEM user account will be used to run the task.

Do you want to specify the user the task will run as? (y/n*) - n

 Adding renewal for [Manual] mail.exoip.com
 Next renewal scheduled at 2020-7-18 21:32:18

Click Q and press Enter to exit Let’s Encrypt Win-ACME application.

 N: Create renewal (default settings)
 M: Create renewal (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (1 total)
 O: More options...
 Q: Quit

 Please choose from the menu: Q

Let’s Encrypt certificate is successfully configured in Exchange Server 2016.

Check Let’s Encrypt certificate status

It’s important to check the certificate after installing or updating the certificate on the Exchange Server. There are many ways to verify the new certificate in Exchange Server. I recommend checking the certificate in a couple of ways. Before we start, let’s have a look if the Let’s Encrypt scheduled task is configured.

Check Let’s Encrypt scheduled task

Let’s Encrypt issued certificate is only valid for 90 days. If you want to keep a valid certificate, you need to renew it. You can do it by following the install FREE let’s encrypt certificate in Exchange Server. I recommend making use of the scheduled task option in the Win-ACME client. The scheduled task will check every day to renew the certificate. The Win-ACME client renews the certificate if it’s older than 55 days. Remember to enable the scheduled task option as described in the article Install FREE Let’s Encrypt certificate in Exchange Server.

Start the Task Scheduler and verify that Win-ACME Let’s Encrypt is configured.

Check Let’s Encrypt certificate status in Exchange Admin Center

Log in to the Exchange Admin Center (EAC). Click servers in the feature pane and follow with certificates in the tabs. Click on the Let’s Encrypt certificate in the list view. More information about the certificate can be found in the details pane.

Do you want to get a list of certificates with PowerShell? Read the article Get Exchange certificate with PowerShell.

Check Let’s Encrypt status in the browser

Start a browser, in my example Firefox and type in the OWA URL. We can see that there is no more warning showing on the padlock icon in the toolbar. Clicking the lock icon will show that we are securely connected to this site. Verified by: Let’s Encrypt. If you don’t see it, clear the browser cache.

Start another browser. For example, Internet Explorer. Clicking the padlock icon in the toolbar will show that the connection to the server is encrypted.

DigiCert certificate checker

We are going to verify the Let’s Encrypt certificate with the DigiCert SSL certificate checker.

Enter the OWA URL of the Exchange Server, in my example mail.exoip.com. When entered, press the button Check Server. Have a look at the Subject Alternative Names, the certificate expiration, and that the certificate is correctly installed.

Microsoft Remote Connectivity Analyzer (MRCA)

Go to the Microsoft Remote Connectivity Analyzer page. Click Exchange Server in the feature pane and click Outlook Connectivity.

Fill in the credentials and click Perform Test.

After testing, the result is showing warnings.

When looking into the warnings, it’s showing the following:

The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.

It’s a warning that impacts older machines or those that don’t allow root certificate updates. It means that machines that don’t have the latest root certificates might not trust your certificate. You can safely ignore the warning.

I hope that it helped you to check Let’s Encrypt certificate in Exchange Server.

Conclusion

In this article, you learned how to check Let’s Encrypt certificate status in Exchange Server. Start a browser and go to the Exchange Server OWA URL. Check that the padlock icon is showing a secure connection. Use an external certificate checker to check the Exchange Server OWA URL. As of last, use Microsoft Remote Connectivity Analyzer (MRCA) to check the connection to the Exchange Server. Always verify after you do a configuration on a system. In this case, it was configuring Exchange Server for Let’s Encrypt.

AITEC Wiki