skip to Main Content

Install FREE Let’s Encrypt certificate in Exchange Server

How to install FREE Let’s Encrypt certificate in Exchange Server? After configuring the internal and external DNS, we like to install a certificate in the Exchange Server. What is Let’s Encrypt and why is it free in the first place? Read more in this article about configuring Let’s Encrypt certificate in Exchange Server 2016.

What is Let’s Encrypt?

Let’s Encrypt is a free way to secure your web server using HTTPS. It will automatically renew your certificates, so after you install and configure it you’ll have a continually-secured web server. Let’s Encrypt does not charge a fee for the certificates. Let’s Encrypt is a nonprofit, and its mission is to create a more secure and privacy-respecting Web. They do that by promoting the widespread adoption of HTTPS. The services are free and easy to use so that everyone can deploy HTTPS.

Exchange Server certificate not trusted

When installing a new Exchange Server, the client connection is not securely installed. That’s by default. We are going to log into Outlook Web Access (OWA) to have a look at how it shows.

In Firefox it’s showing a Warning: Potential Security Risk Ahead. Click on Advanced… and proceed further to see the OWA login page.

Install FREE Lets Encrypt certificate in Exchange Server firefox certificate risk

The Exchange Server OWA is functioning, but it’s not secure. The padlock icon is showing a warning. If we click the padlock in the address bar, we can see that the connection is not secure.

Install FREE Lets Encrypt certificate in Exchange Server certificate connection not secure

The same is happening with all other browsers. For example, Internet Explorer is showing a red address bar. When clicking on the certificate in the toolbar, it’s showing that the certificate is a mismatched address. The Exchange Server connection is not secure.

Install FREE Lets Encrypt certificate in Exchange Server internet explorer certificate mismatched address

We learned about Let’s Encrypt and we have seen that Exchange Server connection is not secure. In the next part, we are going to prepare the application to configure the certificate. After that, we will request a free Let’s Encrypt certificate.

Prepare the Let’s Encrypt Win-ACME client

There is a list of ACME clients offered by third parties to use. We are going to use Windows ACME Simple (WACS). A simple ACME client for Windows – for use with Let’s Encrypt.

Download Win-ACME from GitHub or from the official website. At the moment of writing the file is win-acme.v2.1.7.807.x64.pluggable.zip. Create a folder named Lets Encrypt in C:\Program Files. Extract the files in the .zip to the folder C:\Program Files\Lets Encrypt.

Install FREE Lets Encrypt certificate in Exchange Server location files

Win-ACME can be used from the interactive menu or unattended mode (command line). With the command line, you don’t have to jump through the menus. Both will work and it’s good to learn both ways.

Install Let’s Encrypt certificate in Exchange Server

After downloading and extracting the files, we are going to configure Let’s Encrypt certificate. We are going to show both the interactive menu and command line in the next steps.

Install Let’s Encrypt certificate using Interactive Menu

Right-click the application wacs. Click run as administrator to start the application.

Win-ACME client window will show up. Type M to create a renewal certificate (full option) and press Enter.

Type 2 for manual input and press Enter.

Enter comma-seperated list of host names. Have a look at your Exchange host names and fill them in. Have you configured the Exchange Server host names correctly? There should be no internal names, for example EX01-2016. Have a look at the article Exchange namespace design and planning. I recommend keeping the same namespace for the internal DNS and external DNS.

In my example, I will be using mail.exoip.com and autodiscover.exoip.com. After that, press Enter.

We will not enter anything for the suggested friendly name. Press Enter to continue.

The Let’s Encrypt ACME client will connect with Let’s Encrypt on port 80 through the firewall to request a certificate. If you don’t have port 80 enabled, do that before proceeding. Learn more about network ports for clients and mail flow in Exchange.

We don’t have to enable port 80 on the Exchange Server. We can use port 443, which is option 9 – TLS-ALPN-01. To handle the challenge correctly we cannot go through the HTTP stack, we need direct control (exclusive access) over port 443, meaning that IIS needs to be shut down for it to work.

You don’t want to shut down IIS every time when requesting or updating the Exchange certificate. That’s why we did enable port 80 in the firewall and choose option 2.

Type 2 for RSA key and press Enter.

Choose option 3 to store the certificate in the Windows Certificate Store and press Enter.

Type 3 as we don’t need to store it another way and press Enter.

Select 1 to create or update https bindings in IIS and press Enter.

Type 1 for Default Web Site and press Enter

Type 2 to start external script or program and press Enter

Add the PowerShell script path ./Scripts/ImportExchange.ps1 and press Enter. The script is included by the download of ACME. Have a look in the ACME scripts folder.

Add the following parameters including the services IIS, SMTP, and IMAP. Press Enter.

We don’t need to add another installation step. Press 2 and press Enter.

Enter your email and press Enter.

Press n to not open the terms of service and press Enter. We can always have a look at the terms of service by opening the PDF file in File Explorer.

Press y to agree with the terms and press Enter.

The output will show that it’s configuring the Let’s Encrypt certificate.

We don’t want to specify a user for the task to run. Press n and press Enter. The SYSTEM user account will be used to run the task.

Click Q and press Enter to exit Let’s Encrypt Win-ACME application.

Let’s Encrypt certificate is successfully configured in Exchange Server 2016.

Install Let’s Encrypt certificate using the Command Line

Run Command Prompt as administrator. Change the path to the Lets Encrypt folder and run the command. Add –verbose at the end of the command to show you what is happening.

After running the command, you will be asked to enter an email and a couple of questions regarding Terms of Service.

  1. Email: Enter your email and press Enter.
  2. Open Terms of Service: Press n to not open the terms of service and press Enter. We can always have a look at the terms of service by opening the PDF file in File Explorer.
  3. Agree with Terms of Service: Press y to agree with the terms and press Enter.

Have a look below to see the full output after accepting the Terms of Service.

Win-ACME successfully downloaded the Let’s Encrypt certificate for Exchange Server. It also did bind it correctly to the Exchange services IIS, SMTP, and IMAP.

In the next article, we will verify the Let’s Encrypt configuration on Exchange Server. Keep reading on how to Check Let’s Encrypt certificate.

Did it help you to install Let’s Encrypt certificate in Exchange Server?

Conclusion

In this article, you learned how to install FREE Let’s Encrypt certificate in Exchange Server. Design and configure Exchange 2016 namespace before installing the Let’s Encrypt certificate. Don’t forget to enable port 80 on the firewall. If you don’t, it can’t connect with Let’s Encrypt to issue a certificate. If you enjoyed this article, you may also like Get Exchange certificate with PowerShell. Don’t forget to follow us.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Connect with ALI TAJRAN on social media. Read more »

This Post Has 9 Comments

  1. Excellent article work like a charm !
    Thank you very much !

    How do you do same thing with DAG, how can we use and install same certificate on other members ?
    I heard too that using the interactive mode for Exhange was not a good idea regarding of rights when installing a CU do you confirm ?

    Regards.

    1. You are welcome. I am glad that it worked.

      At the moment, you have to manually export and import the certificate on another Exchange Server.

      When I do have time, I will write a script to automate the process. This way, it will download the Let’s Encrypt certificate and assign it to all the Exchange Servers that you set up in the configuration.

      For now, you can find more interesting articles about certificates over here.

  2. I just looked up your mail server and it is no longer certified with lets encrypt. It is currently on self signed certificate. Could you let us know what went wrong so we could learn from it and perhaps fix it.

    1. I do a lot of building and testing in the environment. After setting up a new Exchange Server, I did not configure Let’s Encrypt on it. That’s why you see the self-signed certificate. I just followed the article, and Let’s Encrypt is configured again. Have a look at yourself.

  3. Bravo!! Well done !! never seen such precise article with screenshot. Easily done with no time.
    God bless you!!Thank you so much!! I did it for 2013 exchange with no issue. I had restart IIS since I was not able to login EAC , it was stuck in login loop

    Great blog!! perfectly done.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top