We like to export the certificate in Exchange 2016 and import the certificate in the…
Install FREE Let’s Encrypt certificate in Exchange Server
How to install FREE Let’s Encrypt certificate in Exchange Server? After configuring the internal and external DNS, we like to install a certificate in the Exchange Server. What is Let’s Encrypt, and why is it free in the first place? Read more in this article about configuring Let’s Encrypt certificate in Exchange Server 2016.
Table of contents
What is Let’s Encrypt?
Let’s Encrypt is a free way to secure your web server using HTTPS with an SSL certificate. It ensures secure encrypted data transfer and connection between server and client. Let’s Encrypt does not charge a fee for the certificates. Let’s Encrypt is a nonprofit, and its mission is to create a more secure and privacy-respecting Web. They do that by promoting the widespread adoption of HTTPS. The services are free and easy to use so that everyone can deploy HTTPS.
Exchange Server certificate not trusted
When installing a new Exchange Server, the client connection is not securely installed. That’s by default. We will log into Outlook Web Access (OWA) to look at how it shows.
In Firefox, it’s showing a Warning: Potential Security Risk Ahead. Click on Advanced… and proceed further to see the OWA login page.
The Exchange Server OWA is functioning, but it’s not secure. The padlock icon is showing a warning. If we click the padlock in the address bar, we can see that the connection is not secure.
The same is happening with all other browsers. For example, Internet Explorer is showing a red address bar. When clicking on the certificate in the toolbar, it’s showing that the certificate is a mismatched address. The Exchange Server connection is not secure.
We learned about Let’s Encrypt, and we have seen that Exchange Server connection is not secure. In the next part, we are going to prepare the application to configure the certificate. After that, we will request a free Let’s Encrypt certificate.
Prepare the Let’s Encrypt Win-ACME client
There is a list of ACME clients offered by third parties to use. We are going to use Windows ACME Simple (WACS). A simple ACME client for Windows – for use with Let’s Encrypt. It will automatically renew your certificates, so after you install and configure it, you’ll have a continually-secured web server.
Download Win-ACME from GitHub or the official website. At the moment of writing, the file is win-acme.v2.1.7.807.x64.pluggable.zip. Create a folder named Lets Encrypt in C:\Program Files. Extract the files in the .zip to the folder C:\Program Files\Lets Encrypt.
You can use Win-ACME from the interactive menu or unattended mode (command line). With the command line, you don’t have to jump through the menus. Both will work, and it’s good to learn both ways.
Install Let’s Encrypt certificate in Exchange Server
After downloading and extracting the files, we are going to configure Let’s Encrypt certificate. We are going to show both the interactive menu and command line in the next steps.
Install Let’s Encrypt certificate using Interactive Menu
Right-click the application wacs. Click run as administrator to start the application.
Win-ACME client window will show up. Type M to create a renewal certificate (full option) and press Enter.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
A simple Windows ACMEv2 client (WACS) Software version 2.1.7.807 (RELEASE, PLUGGABLE) ACME server https://acme-v02.api.letsencrypt.org/ IIS version 10.0 Running with administrator credentials Scheduled task not configured yet Please report issues at https://github.com/win-acme/win-acme N: Create renewal (default settings) M: Create renewal (full options) R: Run renewals (0 currently due) A: Manage renewals (0 total) O: More options... Q: Quit Please choose from the menu: M |
Type 2 for manual input and press Enter.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Running in mode: Interactive, Advanced Please specify how the list of domain names that will be included in the certificate should be determined. If you choose for one of the "all bindings" options, the list will automatically be updated for future renewals to reflect the bindings at that time. 1: IIS 2: Manual input 3: CSR created by another program C: Abort How shall we determine the domain(s) to include in the certificate?: 2 |
Enter a comma-separated list of hostnames. Have a look at your Exchange hostnames and fill them in. Have you configured the Exchange Server hostnames correctly? There should be no internal names, for example, EX01-2016. Have a look at the article Exchange namespace design and planning. I recommend keeping the same namespace for the internal DNS and external DNS.
In my example, I will be using mail.exoip.com and autodiscover.exoip.com. After that, press Enter.
1 |
Enter comma-separated list of host names, starting with the common name: mail.exoip.com,autodiscover.exoip.com |
We will not enter anything for the suggested friendly name. Press Enter to continue.
1 2 3 |
Target generated using plugin Manual: mail.exoip.com and 1 alternatives Suggested friendly name '[Manual] mail.exoip.com', press <ENTER> to accept or type an alternative: |
The Let’s Encrypt ACME client will connect with Let’s Encrypt on port 80 through the firewall to request a certificate. If you don’t have port 80 enabled, do that before proceeding. Learn more about network ports for clients and mail flow in Exchange.
We don’t have to enable port 80 on the Exchange Server. We can use port 443, which is option 9 – TLS-ALPN-01. To handle the challenge correctly, we cannot go through the HTTP stack. We need direct control (exclusive access) over port 443, meaning that IIS needs to be shut down for it to work.
You don’t want to shut down IIS whenever requesting or updating the Exchange certificate. That’s why we did enable port 80 in the firewall and choose option 2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
The ACME server will need to verify that you are the owner of the domain names that you are requesting the certificate for. This happens both during initial setup *and* for every future renewal. There are two main methods of doing so: answering specific http requests (http-01) or create specific dns records (dns-01). For wildcard domains the latter is the only option. Various additional plugins are available from https://github.com/win-acme/win-acme/. 1: [http-01] Save verification files on (network) path 2: [http-01] Serve verification files from memory 3: [http-01] Upload verification files via FTP(S) 4: [http-01] Upload verification files via SSH-FTP 5: [http-01] Upload verification files via WebDav 6: [dns-01] Create verification records manually (auto-renew not possible) 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns) 8: [dns-01] Create verification records with your own script 9: [tls-alpn-01] Answer TLS verification request from win-acme C: Abort How would you like prove ownership for the domain(s)?: 2 |
Type 2 for RSA key and press Enter.
1 2 3 4 5 6 7 8 9 10 |
After ownership of the domain(s) has been proven, we will create a Certificate Signing Request (CSR) to obtain the actual certificate. The CSR determines properties of the certificate like which (type of) key to use. If you are not sure what to pick here, RSA is the safe default. 1: Elliptic Curve key 2: RSA key C: Abort What kind of private key should be used for the certificate?: 2 |
Choose option 3 to store the certificate in the Windows Certificate Store and press Enter.
1 2 3 4 5 6 7 8 9 10 |
When we have the certificate, you can store in one or more ways to make it accessible to your applications. The Windows Certificate Store is the default location for IIS (unless you are managing a cluster of them). 1: IIS Central Certificate Store (.pfx per domain) 2: PEM encoded files (Apache, nginx, etc.) 3: Windows Certificate Store 4: No (additional) store steps How would you like to store the certificate?: 3 |
Type 3 as we don’t need to store it another way and press Enter.
1 2 3 4 5 |
1: IIS Central Certificate Store (.pfx per domain) 2: PEM encoded files (Apache, nginx, etc.) 3: No (additional) store steps Would you like to store it in another way too?: 3 |
Select 1 to create or update https bindings in IIS and press Enter.
1 2 3 4 5 6 7 8 9 10 |
With the certificate saved to the store(s) of your choice, you may choose one or more steps to update your applications, e.g. to configure the new thumbprint, or to update bindings. 1: Create or update https bindings in IIS 2: Create or update ftps bindings in IIS 3: Start external script or program 4: No (additional) installation steps Which installation step should run first?: 1 |
Type 1 for Default Web Site and press Enter
1 2 3 4 |
1: Default Web Site 2: Exchange Back End Choose site to create new bindings: 1 |
Type 2 to start external script or program and press Enter
1 2 3 4 5 |
1: Create or update ftps bindings in IIS 2: Start external script or program 3: No (additional) installation steps Add another installation step?: 2 |
Add the PowerShell script path ./Scripts/ImportExchange.ps1 and press Enter. The download of ACME includes the script. Have a look in the ACME scripts folder.
1 2 3 |
Full instructions: https://www.win-acme.com/reference/plugins/installation/script Enter the path to the script that you want to run after renewal: ./Scripts/ImportExchange.ps1 |
Add the following parameters, including the services IIS, SMTP, and IMAP. Press Enter.
1 2 3 4 5 6 7 8 9 10 |
{CertCommonName}: Common name (primary domain name) {CachePassword}: .pfx password {CacheFile}: .pfx full path {CertFriendlyName}: Certificate friendly name {CertThumbprint}: Certificate thumbprint {StoreType}: Type of store (CentralSsl/CertificateStore/PemFiles) {StorePath}: Path to the store {RenewalId}: Renewal identifier Enter the parameter format string for the script, e.g. "--hostname {CertCommonName}": '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}' |
We don’t need to add another installation step. Press 2 and press Enter.
1 2 3 4 |
1: Create or update ftps bindings in IIS 2: No (additional) installation steps Add another installation step?: 2 |
Enter your email and press Enter.
1 |
Enter email(s) for notifications about problems and abuse (comma seperated): info@alitajran.com |
Press n to not open the terms of service and press Enter. We can always look at the terms of service by opening the PDF file in File Explorer.
1 2 3 |
Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf Open in default application? (y/n*) n |
Press y to agree with the terms and press Enter.
1 |
Do you agree with the terms? (y*/n) y |
The output will show that it’s configuring the Let’s Encrypt certificate.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
Authorize identifier autodiscover.exoip.com Authorizing autodiscover.exoip.com using http-01 validation (SelfHosting) Authorization result: valid Authorize identifier mail.exoip.com Authorizing mail.exoip.com using http-01 validation (SelfHosting) Authorization result: valid Requesting certificate [Manual] mail.exoip.com Store with CertificateStore... Installing certificate in the certificate store Adding certificate [Manual] mail.exoip.com @ 2020/5/24 21:32:31 to store WebHosting Installation step 1/2: IIS... Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way. Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way. No bindings have been changed Installation step 2/2: Script... Script C:\Program Files\Lets Encrypt\Scripts\ImportExchange.ps1 starting with parameters 'F9028D2813D9FFA48CAFD7968955844BB7A8AD0B' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\QhaVTHo0PUmJk1Pnz2PgwQ-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx' 'dDGEM7Fsu68WaKWjT7bWhK6Q8A2QNEEqgLBiQoWymlE=' '[Manual] mail.exoip.com @ 2020/5/24 21:32:31' Script finished Adding Task Scheduler entry with the following settings - Name win-acme renew (acme-v02.api.letsencrypt.org) - Path C:\Program Files\Lets Encrypt - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" - Start at 09:00:00 - Time limit 02:00:00 |
We don’t want to specify a user for the task to run. Press n and press Enter. The SYSTEM user account will be used to run the task.
1 2 3 4 |
Do you want to specify the user the task will run as? (y/n*) - n Adding renewal for [Manual] mail.exoip.com Next renewal scheduled at 2020-7-18 21:32:18 |
Click Q and press Enter to exit Let’s Encrypt Win-ACME application.
1 2 3 4 5 6 7 8 |
N: Create renewal (default settings) M: Create renewal (full options) R: Run renewals (0 currently due) A: Manage renewals (1 total) O: More options... Q: Quit Please choose from the menu: Q |
Let’s Encrypt certificate is successfully configured in Exchange Server 2016.
Install Let’s Encrypt certificate using the Command Line
Run Command Prompt as administrator. Change the path to the Lets Encrypt folder and run the command. Add –verbose at the end of the command to show you what is happening.
1 2 3 |
C:\>cd \program files\lets encrypt C:\Program Files\Lets Encrypt>wacs.exe --target manual --host mail.exoip.com,autodiscover.exoip.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose |
After running the command, you will be asked to enter an email and a couple of questions regarding Terms of Service.
- Email: Enter your email and press Enter.
- Open Terms of Service: Press n to not open the terms of service and press Enter. We can always look at the terms of service by opening the PDF file in File Explorer.
- Agree with Terms of Service: Press y to agree with the terms and press Enter.
Have a look below to see the full output after accepting the Terms of Service.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
C:\>cd \program files\lets encrypt C:\Program Files\Lets Encrypt>wacs.exe --target manual --host mail.exoip.com,autodiscover.exoip.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose [VERB] Verbose mode logging enabled [VERB] Looking for settings.json in C:\Program Files\Lets Encrypt [DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates [VERB] Arguments: --target manual --host mail.exoip.com,autodiscover.exoip.com --certificatestore My --acl-fullcontrol network service,administrators --installation iis,script --installationsiteid 1 --script ./Scripts/ImportExchange.ps1 --scriptparameters '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}' --verbose [DBUG] Renewal period: 55 days [VERB] Sending e-mails False [INFO] A simple Windows ACMEv2 client (WACS) [INFO] Software version 2.1.7.807 (RELEASE, PLUGGABLE) [INFO] ACME server https://acme-v02.api.letsencrypt.org/ [VERB] SecurityProtocol setting: SystemDefault [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [VERB] Request completed with status OK [DBUG] Connection OK! [INFO] IIS version 10.0 [INFO] Running with administrator credentials [WARN] Scheduled task not configured yet [INFO] Please report issues at https://github.com/win-acme/win-acme [VERB] Test for international support: 語言 язык لغة [INFO] Running in mode: Unattended [VERB] Adding 8.8.8.8 as DNS server [VERB] Adding 1.1.1.1 as DNS server [VERB] Adding 8.8.4.4 as DNS server [INFO] Target generated using plugin Manual: mail.exoip.com and 1 alternatives [VERB] Targeted convert into 1 order(s) [VERB] Checking [Manual] mail.exoip.com [VERB] Handle order 1/1: Main [VERB] Creating order for hosts: ["mail.exoip.com", "autodiscover.exoip.com"] [VERB] Loading ACME account signer... [VERB] Constructing ACME protocol client... [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [VERB] Request completed with status OK [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce [VERB] Request completed with status OK Enter email(s) for notifications about problems and abuse (comma seperated): info@exoip.com [DBUG] Send GET request to https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf [VERB] Request completed with status OK Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf Open in default application? (y/n*) - no Do you agree with the terms? (y*/n) - yes [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct [VERB] Request completed with status Created [DBUG] Saving account [DBUG] Saving signer to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order [VERB] Request completed with status Created [VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/88066085/3646157898 created [VERB] Handle authorization 1/2 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5040033653 [VERB] Request completed with status OK [INFO] Authorize identifier autodiscover.exoip.com [VERB] Initial authorization status: pending [VERB] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"] [VERB] Initial challenge status: pending [INFO] Authorizing autodiscover.exoip.com using http-01 validation (SelfHosting) [DBUG] Submitting challenge answer [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033653/LpXdOA [VERB] Request completed with status OK [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc [DBUG] Refreshing authorization (1/15) [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033653/LpXdOA [VERB] Request completed with status OK [INFO] Authorization result: valid [VERB] Starting post-validation cleanup [VERB] Post-validation cleanup was succesful [VERB] Handle authorization 2/2 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5040033654 [VERB] Request completed with status OK [INFO] Authorize identifier mail.exoip.com [VERB] Initial authorization status: pending [VERB] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"] [VERB] Initial challenge status: pending [INFO] Authorizing mail.exoip.com using http-01 validation (SelfHosting) [DBUG] Submitting challenge answer [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033654/o9LzXg [VERB] Request completed with status OK [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs [DBUG] Refreshing authorization (1/15) [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033654/o9LzXg [VERB] Request completed with status OK [INFO] Authorization result: valid [VERB] Starting post-validation cleanup [VERB] Post-validation cleanup was succesful [DBUG] CSR stored at iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-csr.pem in certificate cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates [VERB] Submitting CSR [DBUG] Waiting for order to get ready (1/15) [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/order/88066085/3646157898 [VERB] Request completed with status OK [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/88066085/3646157898 [VERB] Request completed with status OK [INFO] Requesting certificate [Manual] mail.exoip.com [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/cert/036e55bc8fe5402aaa58bd9b48ad80ec5276 [VERB] Request completed with status OK [DBUG] Certificate written to cache file iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-temp.pfx in certificate cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates. It will be reused when renewing within 1 day(s) as long as the Target and Csr parameters remain the same and the --force switch is not used. [DBUG] Certificate store: My [INFO] Store with CertificateStore... [INFO] Installing certificate in the certificate store [DBUG] Opened certificate store My [INFO] Adding certificate [Manual] mail.exoip.com @ 2020/6/5 19:21:26 to store My [VERB] CN=mail.exoip.com - CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US (0C4C00B76EB7DB236573BF79258888D32C9B753D) [DBUG] Closing certificate store [VERB] Private key found at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8592b1c3eb2a87fc0ab7e596d486626b_78e30ce3-4e01-442d-9d65-5b07d94408f1 [INFO] Add full control rights for network service [INFO] Add full control rights for administrators [VERB] CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US - CN=DST Root CA X3, O=Digital Signature Trust Co. (E6A3B45B062D509B3382282D196EFE97D5956CCB) to store CA [DBUG] Closing store CA [INFO] Installation step 1/2: IIS... [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way. [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way. [WARN] No bindings have been changed [INFO] Installation step 2/2: Script... [INFO] Script ./Scripts/ImportExchange.ps1 starting with parameters '0C4C00B76EB7DB236573BF79258888D32C9B753D' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-temp.pfx' 'RMsWi3SSvlqi8gYIiqb4bw+jLwA+fn2ShwyedkWcaXo=' '[Manual] mail.exoip.com @ 2020/6/5 19:21:26' [DBUG] Process launched: powershell.exe (ID: 7476) [VERB] NewCertThumbprint: 0C4C00B76EB7DB236573BF79258888D32C9B753D [VERB] ExchangeServices: IIS,SMTP,IMAP [VERB] LeaveOldExchangeCerts: 1 [VERB] RenewalId: [VERB] CacheFile: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-temp.pfx [VERB] FriendlyName: [Manual] mail.exoip.com @ 2020/6/5 19:21:26 [VERB] Searching for Exchange snapin... [VERB] Waiting for process to finish... [VERB] Waiting for process to finish... [VERB] Microsoft.Exchange.Management.PowerShell.E2010 [VERB] Microsoft.Exchange.Management.PowerShell.SnapIn [VERB] Checking if certificate can be found in the right store... [VERB] Updating Exchange services... [VERB] Waiting for process to finish... [VERB] Waiting for process to finish... [VERB] Certificate set for the following services: IIS,SMTP,IMAP [VERB] Process output without data received [VERB] Process error without data received [INFO] Script finished [VERB] Waiting for process to finish... [INFO] Adding Task Scheduler entry with the following settings [INFO] - Name win-acme renew (acme-v02.api.letsencrypt.org) [INFO] - Path C:\Program Files\Lets Encrypt [INFO] - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" [INFO] - Start at 09:00:00 [INFO] - Time limit 02:00:00 [DBUG] Creating task to run as system user [INFO] Adding renewal for [Manual] mail.exoip.com [INFO] Next renewal scheduled at 2020/7/30 19:20:31 [INFO] Certificate [Manual] mail.exoip.com created [VERB] Exiting with status code 0 |
Win-ACME successfully downloaded the Let’s Encrypt certificate for Exchange Server. It also did bind it correctly to the Exchange services IIS, SMTP, and IMAP.
In the next article, we will verify the Let’s Encrypt configuration on Exchange Server. Keep reading on how to Check Let’s Encrypt certificate.
Did it help you to install Let’s Encrypt certificate in Exchange Server?
Conclusion
In this article, you learned how to install FREE Let’s Encrypt certificate in Exchange Server. Design and configure Exchange 2016 namespace before installing the Let’s Encrypt certificate. Don’t forget to enable port 80 on the firewall. If you don’t, it can’t connect with Let’s Encrypt to issue a certificate.
Did you enjoy this article? You may also like Get Exchange certificate with PowerShell. Don’t forget to follow us and share this article.
Great article!
Thank you, it works like a charm!
Excellent article work like a charm !
Thank you very much !
How do you do same thing with DAG, how can we use and install same certificate on other members ?
I heard too that using the interactive mode for Exhange was not a good idea regarding of rights when installing a CU do you confirm ?
Regards.
You are welcome. I am glad that it worked.
At the moment, you have to manually export and import the certificate on another Exchange Server.
When I do have time, I will write a script to automate the process. This way, it will download the Let’s Encrypt certificate and assign it to all the Exchange Servers that you set up in the configuration.
For now, you can find more interesting articles about certificates over here.
Ok thank you for your answer, i took a look and it’s very usefull and detailed.
Thanks for all.
Excellent work ! Thank you very much !
I just looked up your mail server and it is no longer certified with lets encrypt. It is currently on self signed certificate. Could you let us know what went wrong so we could learn from it and perhaps fix it.
I do a lot of building and testing in the environment. After setting up a new Exchange Server, I did not configure Let’s Encrypt on it. That’s why you see the self-signed certificate. I just followed the article, and Let’s Encrypt is configured again. Have a look at yourself.
Great Article and works perfectly. Thanks for wonderful work.
Great blog!! perfectly done…thanks a million….
Bravo!! Well done !! never seen such precise article with screenshot. Easily done with no time.
God bless you!!Thank you so much!! I did it for 2013 exchange with no issue. I had restart IIS since I was not able to login EAC , it was stuck in login loop
Great blog!! perfectly done.