skip to Main Content

Install FREE Let’s Encrypt certificate in Exchange Server

How to install FREE Let’s Encrypt certificate in Exchange Server? After configuring the internal and external DNS, we like to install a certificate in the Exchange Server. What is Let’s Encrypt, and why is it free in the first place? Read more in this article about configuring Let’s Encrypt certificate in Exchange Server 2016.

What is Let’s Encrypt?

Let’s Encrypt is a free way to secure your web server using HTTPS with an SSL certificate. It ensures secure encrypted data transfer and connection between server and client. Let’s Encrypt does not charge a fee for the certificates. Let’s Encrypt is a nonprofit, and its mission is to create a more secure and privacy-respecting Web. They do that by promoting the widespread adoption of HTTPS. The services are free and easy to use so that everyone can deploy HTTPS.

Exchange Server certificate not trusted

When installing a new Exchange Server, the client connection is not securely installed. That’s by default. We will log into Outlook Web Access (OWA) to look at how it shows.

In Firefox, it’s showing a Warning: Potential Security Risk Ahead. Click on Advanced… and proceed further to see the OWA login page.

Install FREE Lets Encrypt certificate in Exchange Server firefox certificate risk

The Exchange Server OWA is functioning, but it’s not secure. The padlock icon is showing a warning. If we click the padlock in the address bar, we can see that the connection is not secure.

Install FREE Lets Encrypt certificate in Exchange Server certificate connection not secure

The same is happening with all other browsers. For example, Internet Explorer is showing a red address bar. When clicking on the certificate in the toolbar, it’s showing that the certificate is a mismatched address. The Exchange Server connection is not secure.

Install FREE Lets Encrypt certificate in Exchange Server internet explorer certificate mismatched address

We learned about Let’s Encrypt, and we have seen that Exchange Server connection is not secure. In the next part, we are going to prepare the application to configure the certificate. After that, we will request a free Let’s Encrypt certificate.

Prepare the Let’s Encrypt Win-ACME client

There is a list of ACME clients offered by third parties to use. We are going to use Windows ACME Simple (WACS). A simple ACME client for Windows – for use with Let’s Encrypt. It will automatically renew your certificates, so after you install and configure it, you’ll have a continually-secured web server.

Download Win-ACME from GitHub or the official website. At the moment of writing, the file is win-acme.v2.1.7.807.x64.pluggable.zip. Create a folder named Lets Encrypt in C:\Program Files. Extract the files in the .zip to the folder C:\Program Files\Lets Encrypt.

Install FREE Lets Encrypt certificate in Exchange Server location files

You can use Win-ACME from the interactive menu or unattended mode (command line). With the command line, you don’t have to jump through the menus. Both will work, and it’s good to learn both ways.

Install Let’s Encrypt certificate in Exchange Server

After downloading and extracting the files, we are going to configure Let’s Encrypt certificate. We are going to show both the interactive menu and command line in the next steps.

Install Let’s Encrypt certificate using Interactive Menu

Right-click the application wacs. Click run as administrator to start the application.

Win-ACME client window will show up. Type M to create a renewal certificate (full option) and press Enter.

 A simple Windows ACMEv2 client (WACS)
 Software version 2.1.7.807 (RELEASE, PLUGGABLE)
 ACME server https://acme-v02.api.letsencrypt.org/
 IIS version 10.0
 Running with administrator credentials
 Scheduled task not configured yet
 Please report issues at https://github.com/win-acme/win-acme

 N: Create renewal (default settings)
 M: Create renewal (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: M

Type 2 for manual input and press Enter.

Running in mode: Interactive, Advanced

  Please specify how the list of domain names that will be included in the
  certificate should be determined. If you choose for one of the "all bindings"
  options, the list will automatically be updated for future renewals to
  reflect the bindings at that time.

 1: IIS
 2: Manual input
 3: CSR created by another program
 C: Abort

 How shall we determine the domain(s) to include in the certificate?: 2

Enter a comma-separated list of hostnames. Have a look at your Exchange hostnames and fill them in. Have you configured the Exchange Server hostnames correctly? There should be no internal names, for example, EX01-2016. Have a look at the article Exchange namespace design and planning. I recommend keeping the same namespace for the internal DNS and external DNS.

In my example, I will be using mail.exoip.com and autodiscover.exoip.com. After that, press Enter.

Enter comma-separated list of host names, starting with the common name: mail.exoip.com,autodiscover.exoip.com

We will not enter anything for the suggested friendly name. Press Enter to continue.

Target generated using plugin Manual: mail.exoip.com and 1 alternatives

 Suggested friendly name '[Manual] mail.exoip.com', press <ENTER> to accept or type an alternative:

The Let’s Encrypt ACME client will connect with Let’s Encrypt on port 80 through the firewall to request a certificate. If you don’t have port 80 enabled, do that before proceeding. Learn more about network ports for clients and mail flow in Exchange.

We don’t have to enable port 80 on the Exchange Server. We can use port 443, which is option 9 – TLS-ALPN-01. To handle the challenge correctly, we cannot go through the HTTP stack. We need direct control (exclusive access) over port 443, meaning that IIS needs to be shut down for it to work.

You don’t want to shut down IIS whenever requesting or updating the Exchange certificate. That’s why we did enable port 80 in the firewall and choose option 2.

The ACME server will need to verify that you are the owner of the domain
  names that you are requesting the certificate for. This happens both during
  initial setup *and* for every future renewal. There are two main methods of
  doing so: answering specific http requests (http-01) or create specific dns
  records (dns-01). For wildcard domains the latter is the only option. Various
  additional plugins are available from https://github.com/win-acme/win-acme/.

 1: [http-01] Save verification files on (network) path
 2: [http-01] Serve verification files from memory
 3: [http-01] Upload verification files via FTP(S)
 4: [http-01] Upload verification files via SSH-FTP
 5: [http-01] Upload verification files via WebDav
 6: [dns-01] Create verification records manually (auto-renew not possible)
 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 8: [dns-01] Create verification records with your own script
 9: [tls-alpn-01] Answer TLS verification request from win-acme
 C: Abort

 How would you like prove ownership for the domain(s)?: 2

Type 2 for RSA key and press Enter.

  After ownership of the domain(s) has been proven, we will create a
  Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
  determines properties of the certificate like which (type of) key to use. If
  you are not sure what to pick here, RSA is the safe default.

 1: Elliptic Curve key
 2: RSA key
 C: Abort

 What kind of private key should be used for the certificate?: 2

Choose option 3 to store the certificate in the Windows Certificate Store and press Enter.

 When we have the certificate, you can store in one or more ways to make it
  accessible to your applications. The Windows Certificate Store is the default
  location for IIS (unless you are managing a cluster of them).

 1: IIS Central Certificate Store (.pfx per domain)
 2: PEM encoded files (Apache, nginx, etc.)
 3: Windows Certificate Store
 4: No (additional) store steps

 How would you like to store the certificate?: 3

Type 3 as we don’t need to store it another way and press Enter.

 1: IIS Central Certificate Store (.pfx per domain)
 2: PEM encoded files (Apache, nginx, etc.)
 3: No (additional) store steps

 Would you like to store it in another way too?: 3

Select 1 to create or update https bindings in IIS and press Enter.

With the certificate saved to the store(s) of your choice, you may choose one
  or more steps to update your applications, e.g. to configure the new
  thumbprint, or to update bindings.

 1: Create or update https bindings in IIS
 2: Create or update ftps bindings in IIS
 3: Start external script or program
 4: No (additional) installation steps

 Which installation step should run first?: 1

Type 1 for Default Web Site and press Enter

 1: Default Web Site
 2: Exchange Back End

 Choose site to create new bindings: 1

Type 2 to start external script or program and press Enter

 1: Create or update ftps bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps

 Add another installation step?: 2

Add the PowerShell script path ./Scripts/ImportExchange.ps1 and press Enter. The download of ACME includes the script. Have a look in the ACME scripts folder.

 Full instructions:  https://www.win-acme.com/reference/plugins/installation/script

 Enter the path to the script that you want to run after renewal: ./Scripts/ImportExchange.ps1

Add the following parameters, including the services IIS, SMTP, and IMAP. Press Enter.

 {CertCommonName}:    Common name (primary domain name)
 {CachePassword}:     .pfx password
 {CacheFile}:         .pfx full path
 {CertFriendlyName}:  Certificate friendly name
 {CertThumbprint}:    Certificate thumbprint
 {StoreType}:         Type of store (CentralSsl/CertificateStore/PemFiles)
 {StorePath}:         Path to the store
 {RenewalId}:         Renewal identifier

 Enter the parameter format string for the script, e.g. "--hostname {CertCommonName}": '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

We don’t need to add another installation step. Press 2 and press Enter.

 1: Create or update ftps bindings in IIS
 2: No (additional) installation steps

 Add another installation step?: 2

Enter your email and press Enter.

 Enter email(s) for notifications about problems and abuse (comma seperated): info@alitajran.com

Press n to not open the terms of service and press Enter. We can always look at the terms of service by opening the PDF file in File Explorer.

Terms of service:   C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

 Open in default application? (y/n*) n

Press y to agree with the terms and press Enter.

Do you agree with the terms? (y*/n) y

The output will show that it’s configuring the Let’s Encrypt certificate.

 Authorize identifier autodiscover.exoip.com
 Authorizing autodiscover.exoip.com using http-01 validation (SelfHosting)
 Authorization result: valid
 Authorize identifier mail.exoip.com
 Authorizing mail.exoip.com using http-01 validation (SelfHosting)
 Authorization result: valid
 Requesting certificate [Manual] mail.exoip.com
 Store with CertificateStore...
 Installing certificate in the certificate store
 Adding certificate [Manual] mail.exoip.com @ 2020/5/24 21:32:31 to store WebHosting
 Installation step 1/2: IIS...
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 No bindings have been changed
 Installation step 2/2: Script...
 Script C:\Program Files\Lets Encrypt\Scripts\ImportExchange.ps1 starting with parameters 'F9028D2813D9FFA48CAFD7968955844BB7A8AD0B' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\QhaVTHo0PUmJk1Pnz2PgwQ-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx' 'dDGEM7Fsu68WaKWjT7bWhK6Q8A2QNEEqgLBiQoWymlE=' '[Manual] mail.exoip.com @ 2020/5/24 21:32:31'
 Script finished
 Adding Task Scheduler entry with the following settings
 - Name win-acme renew (acme-v02.api.letsencrypt.org)
 - Path C:\Program Files\Lets Encrypt
 - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 - Start at 09:00:00
 - Time limit 02:00:00

We don’t want to specify a user for the task to run. Press n and press Enter. The SYSTEM user account will be used to run the task.

Do you want to specify the user the task will run as? (y/n*) - n

 Adding renewal for [Manual] mail.exoip.com
 Next renewal scheduled at 2020-7-18 21:32:18

Click Q and press Enter to exit Let’s Encrypt Win-ACME application.

 N: Create renewal (default settings)
 M: Create renewal (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (1 total)
 O: More options...
 Q: Quit

 Please choose from the menu: Q

Let’s Encrypt certificate is successfully configured in Exchange Server 2016.

Install Let’s Encrypt certificate using the Command Line

Run Command Prompt as administrator. Change the path to the Lets Encrypt folder and run the command. Add –verbose at the end of the command to show you what is happening.

C:\>cd \program files\lets encrypt

C:\Program Files\Lets Encrypt>wacs.exe --target manual --host mail.exoip.com,autodiscover.exoip.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose

After running the command, you will be asked to enter an email and a couple of questions regarding Terms of Service.

  1. Email: Enter your email and press Enter.
  2. Open Terms of Service: Press n to not open the terms of service and press Enter. We can always look at the terms of service by opening the PDF file in File Explorer.
  3. Agree with Terms of Service: Press y to agree with the terms and press Enter.

Have a look below to see the full output after accepting the Terms of Service.

C:\>cd \program files\lets encrypt

C:\Program Files\Lets Encrypt>wacs.exe --target manual --host mail.exoip.com,autodiscover.exoip.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose
 [VERB] Verbose mode logging enabled
 [VERB] Looking for settings.json in C:\Program Files\Lets Encrypt
 [DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
 [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
 [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
 [VERB] Arguments: --target manual --host mail.exoip.com,autodiscover.exoip.com --certificatestore My --acl-fullcontrol network service,administrators --installation iis,script --installationsiteid 1 --script ./Scripts/ImportExchange.ps1 --scriptparameters '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}' --verbose
 [DBUG] Renewal period: 55 days
 [VERB] Sending e-mails False

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.1.7.807 (RELEASE, PLUGGABLE)
 [INFO] ACME server https://acme-v02.api.letsencrypt.org/
 [VERB] SecurityProtocol setting: SystemDefault
 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
 [VERB] Request completed with status OK
 [DBUG] Connection OK!
 [INFO] IIS version 10.0
 [INFO] Running with administrator credentials
 [WARN] Scheduled task not configured yet
 [INFO] Please report issues at https://github.com/win-acme/win-acme
 [VERB] Test for international support: 語言 язык لغة
 [INFO] Running in mode: Unattended
 [VERB] Adding 8.8.8.8 as DNS server
 [VERB] Adding 1.1.1.1 as DNS server
 [VERB] Adding 8.8.4.4 as DNS server
 [INFO] Target generated using plugin Manual: mail.exoip.com and 1 alternatives

 [VERB] Targeted convert into 1 order(s)
 [VERB] Checking [Manual] mail.exoip.com
 [VERB] Handle order 1/1: Main
 [VERB] Creating order for hosts: ["mail.exoip.com", "autodiscover.exoip.com"]
 [VERB] Loading ACME account signer...
 [VERB] Constructing ACME protocol client...
 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
 [VERB] Request completed with status OK
 [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
 [VERB] Request completed with status OK

 Enter email(s) for notifications about problems and abuse (comma seperated): info@exoip.com

 [DBUG] Send GET request to https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
 [VERB] Request completed with status OK
 Terms of service:   C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

 Open in default application? (y/n*)  - no

 Do you agree with the terms? (y*/n)  - yes

 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct
 [VERB] Request completed with status Created
 [DBUG] Saving account
 [DBUG] Saving signer to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
 [VERB] Request completed with status Created
 [VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/88066085/3646157898 created
 [VERB] Handle authorization 1/2
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5040033653
 [VERB] Request completed with status OK
 [INFO] Authorize identifier autodiscover.exoip.com
 [VERB] Initial authorization status: pending
 [VERB] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
 [VERB] Initial challenge status: pending
 [INFO] Authorizing autodiscover.exoip.com using http-01 validation (SelfHosting)
 [DBUG] Submitting challenge answer
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033653/LpXdOA
 [VERB] Request completed with status OK
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/mp8PxSDe067Ihd40jYqR8USYpKqTAFIKIs5Vhbnf8cc
 [DBUG] Refreshing authorization (1/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033653/LpXdOA
 [VERB] Request completed with status OK
 [INFO] Authorization result: valid
 [VERB] Starting post-validation cleanup
 [VERB] Post-validation cleanup was succesful
 [VERB] Handle authorization 2/2
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5040033654
 [VERB] Request completed with status OK
 [INFO] Authorize identifier mail.exoip.com
 [VERB] Initial authorization status: pending
 [VERB] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
 [VERB] Initial challenge status: pending
 [INFO] Authorizing mail.exoip.com using http-01 validation (SelfHosting)
 [DBUG] Submitting challenge answer
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033654/o9LzXg
 [VERB] Request completed with status OK
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/dtIu9d-3a4I4on85UffTdwsV3PLTc-TTsTykanNquvs
 [DBUG] Refreshing authorization (1/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5040033654/o9LzXg
 [VERB] Request completed with status OK
 [INFO] Authorization result: valid
 [VERB] Starting post-validation cleanup
 [VERB] Post-validation cleanup was succesful
 [DBUG] CSR stored at iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-csr.pem in certificate cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
 [VERB] Submitting CSR
 [DBUG] Waiting for order to get ready (1/15)
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/order/88066085/3646157898
 [VERB] Request completed with status OK
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/88066085/3646157898
 [VERB] Request completed with status OK
 [INFO] Requesting certificate [Manual] mail.exoip.com
 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/cert/036e55bc8fe5402aaa58bd9b48ad80ec5276
 [VERB] Request completed with status OK
 [DBUG] Certificate written to cache file iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-temp.pfx in certificate cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates. It will be reused when renewing within 1 day(s) as long as the Target and Csr parameters remain the same and the --force switch is not used.
 [DBUG] Certificate store: My
 [INFO] Store with CertificateStore...
 [INFO] Installing certificate in the certificate store
 [DBUG] Opened certificate store My
 [INFO] Adding certificate [Manual] mail.exoip.com @ 2020/6/5 19:21:26 to store My
 [VERB] CN=mail.exoip.com - CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US (0C4C00B76EB7DB236573BF79258888D32C9B753D)
 [DBUG] Closing certificate store
 [VERB] Private key found at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8592b1c3eb2a87fc0ab7e596d486626b_78e30ce3-4e01-442d-9d65-5b07d94408f1
 [INFO] Add full control rights for network service
 [INFO] Add full control rights for administrators
 [VERB] CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US - CN=DST Root CA X3, O=Digital Signature Trust Co. (E6A3B45B062D509B3382282D196EFE97D5956CCB) to store CA
 [DBUG] Closing store CA
 [INFO] Installation step 1/2: IIS...
 [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 [WARN] No bindings have been changed
 [INFO] Installation step 2/2: Script...
 [INFO] Script ./Scripts/ImportExchange.ps1 starting with parameters '0C4C00B76EB7DB236573BF79258888D32C9B753D' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-temp.pfx' 'RMsWi3SSvlqi8gYIiqb4bw+jLwA+fn2ShwyedkWcaXo=' '[Manual] mail.exoip.com @ 2020/6/5 19:21:26'
 [DBUG] Process launched: powershell.exe (ID: 7476)
 [VERB] NewCertThumbprint: 0C4C00B76EB7DB236573BF79258888D32C9B753D
 [VERB] ExchangeServices: IIS,SMTP,IMAP
 [VERB] LeaveOldExchangeCerts: 1
 [VERB] RenewalId:
 [VERB] CacheFile: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\iedrTUcrmk61i0WL5uFjvA-99d3fed7de9d8bb948217a2f8719e17c00c10ddf-temp.pfx
 [VERB] FriendlyName: [Manual] mail.exoip.com @ 2020/6/5 19:21:26
 [VERB] Searching for Exchange snapin...
 [VERB] Waiting for process to finish...
 [VERB] Waiting for process to finish...
 [VERB] Microsoft.Exchange.Management.PowerShell.E2010
 [VERB] Microsoft.Exchange.Management.PowerShell.SnapIn
 [VERB] Checking if certificate can be found in the right store...
 [VERB] Updating Exchange services...
 [VERB] Waiting for process to finish...
 [VERB] Waiting for process to finish...
 [VERB] Certificate set for the following services: IIS,SMTP,IMAP
 [VERB] Process output without data received
 [VERB] Process error without data received
 [INFO] Script finished
 [VERB] Waiting for process to finish...
 [INFO] Adding Task Scheduler entry with the following settings
 [INFO] - Name win-acme renew (acme-v02.api.letsencrypt.org)
 [INFO] - Path C:\Program Files\Lets Encrypt
 [INFO] - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 [INFO] - Start at 09:00:00
 [INFO] - Time limit 02:00:00
 [DBUG] Creating task to run as system user
 [INFO] Adding renewal for [Manual] mail.exoip.com
 [INFO] Next renewal scheduled at 2020/7/30 19:20:31
 [INFO] Certificate [Manual] mail.exoip.com created
 [VERB] Exiting with status code 0

Win-ACME successfully downloaded the Let’s Encrypt certificate for Exchange Server. It also did bind it correctly to the Exchange services IIS, SMTP, and IMAP.

In the next article, we will verify the Let’s Encrypt configuration on Exchange Server. Keep reading on how to Check Let’s Encrypt certificate.

Did it help you to install Let’s Encrypt certificate in Exchange Server?

Conclusion

In this article, you learned how to install FREE Let’s Encrypt certificate in Exchange Server. Design and configure Exchange 2016 namespace before installing the Let’s Encrypt certificate. Don’t forget to enable port 80 on the firewall. If you don’t, it can’t connect with Let’s Encrypt to issue a certificate.

Did you enjoy this article? You may also like Get Exchange certificate with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 18 Comments

  1. Thanks a lot brother. Worked as expected. Used the cli method and it was very quick. Had to restart IIS to connect to ECP as it was not allowing me login to Exchange Admin Center.

  2. Hello,
    i installed the certificate exactly like you did in the description. i added outlook.domain.com and autodiscover.domain.com as host name. (these also exist as DNS entry at my domain hoster).
    win acme says everything is fine, i also can find the certificate in exchange but exchange says that my letsencrypt certificate is invalid?

    can you please help me?

    thanks

  3. Hi, Good morning. I just tried using both methods but it failed to create the certificate. See my error code. This is just for testing.

    .\wacs.exe –target manual –host mail.redacted.com.com,autodiscover.redacted.com –certificatestore My –acl-fullcontrol “network service,administrators” –installation iis,script –installationsiteid 1 –script “./Scripts/ImportExchange.ps1” –scriptparameters “‘{CertThumbprint}’ ‘IIS,SMTP,IMAP’ 1 ‘{CacheFile}’ ‘{CachePassword}’ ‘{CertFriendlyName}'” –verbose

  4. Great article! I have a couple of questions.

    Does this work with Exchange 2010, too?

    Will this cause problems on clients, like every 3 months the need to load the new certificate in Outlook?

      1. Yeah I know about end-of-life, but I found Exchange 2010 already installed on a customer’s server and they don’t want to change server for the time being, so I’m trying to make it work as best as possible.

  5. Excellent article work like a charm !
    Thank you very much !

    How do you do same thing with DAG, how can we use and install same certificate on other members ?
    I heard too that using the interactive mode for Exhange was not a good idea regarding of rights when installing a CU do you confirm ?

    Regards.

    1. You are welcome. I am glad that it worked.

      At the moment, you have to manually export and import the certificate on another Exchange Server.

      When I do have time, I will write a script to automate the process. This way, it will download the Let’s Encrypt certificate and assign it to all the Exchange Servers that you set up in the configuration.

      For now, you can find more interesting articles about certificates over here.

  6. I just looked up your mail server and it is no longer certified with lets encrypt. It is currently on self signed certificate. Could you let us know what went wrong so we could learn from it and perhaps fix it.

    1. I do a lot of building and testing in the environment. After setting up a new Exchange Server, I did not configure Let’s Encrypt on it. That’s why you see the self-signed certificate. I just followed the article, and Let’s Encrypt is configured again. Have a look at yourself.

  7. Bravo!! Well done !! never seen such precise article with screenshot. Easily done with no time.
    God bless you!!Thank you so much!! I did it for 2013 exchange with no issue. I had restart IIS since I was not able to login EAC , it was stuck in login loop

    Great blog!! perfectly done.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top