Add Servers/Microsoft Exchange/Configuring ACME LetsEncrypt Bot.md
This commit is contained in:
@ -0,0 +1,70 @@
|
||||
**Purpose**: If you want to set up automatic Let's Encrypt SSL certificates on a Microsoft Exchange server, you have to go through a few steps to install the WinACME bot, and configure it to automatically renew certificates.
|
||||
|
||||
!!! note "ACME Bot Provisioning Considerations"
|
||||
This document assumes you want a fully-automated one-liner command for configuring the ACME Bot, it is also completely valid to go step-by-step through the bot to configure the SSL certificate, the IIS server, etc, and it will automatically create a Scheduled Task to renew on its own. The whole process is very straight-forward with most answers being the default option.
|
||||
|
||||
### Download the Win-ACME Bot:
|
||||
|
||||
* Log into the on-premise Exchange Server via Datto RMM
|
||||
* Navigate to: [https://www.win-acme.com/](https://www.win-acme.com/)
|
||||
* On the top-right of the website, you will see a "**Download**" button with the most recent version of the Win-ACME bot
|
||||
* Extract the contents of the ZIP file to "**C:\\Program Files (x86)\\Lets Encrypt**"
|
||||
* Make the "**Lets Encrypt**" folder if it does not already exist
|
||||
|
||||
### Configure `settings_default.json`:
|
||||
|
||||
* The next step involves us making a modification to the configuration of the Win-ACME bot that allows us to export the necessary private key data for Exchange
|
||||
* Using a text editor, open the "**settings\_default.json**" file
|
||||
* Look for the setting called "**PrivateKeyExportable**" and change the value from "**false**" to "**true**"
|
||||
* Save and close the file
|
||||
|
||||
### Download and Install the SSL Certificate:
|
||||
|
||||
* Open an administrative Command Line (DO NOT USE POWERSHELL)
|
||||
* Navigate to the Let's Encrypt bot directory: `CD "C:\Program Files (x86)\Lets Encrypt"`
|
||||
* Invoke the bot to automatically download and install the certificate into the IIS Server that Exchange uses to host the Exchange Server
|
||||
* Be sure to change the placeholder subdomains to match the domain of the actual Exchange Server
|
||||
* (e.g. "**mail.example.org**" | "**autodiscover.example.org**")
|
||||
```
|
||||
wacs.exe --target manual --host mail.example.org,autodiscover.example.org --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose
|
||||
```
|
||||
|
||||
* When the command is running, it will ask for an email address for alerts and abuse notifications, just put ["helpdesk@deeptree.tech"](http://%22helpdesk@deeptree.tech%22) as the email address
|
||||
* If you run into any unexpected errors that result in anything other than exiting with a status "0", consult with Michael Levesque or Nicole Rappe to proceed
|
||||
* Check that the domain of the Exchange Server is reachable on port 80 as Let's Encrypt uses this to build the cert.
|
||||
* Searching the external IP of the server on [Shodan](https://www.shodan.io/) will reveal all open ports.
|
||||
|
||||
### Troubleshooting:
|
||||
If you find that any of the services such as [https://mail.example.org/ecp](https://mail.example.org/ecp), [https://autodiscover.example.org](https://autodiscover.example.org), or [https://mail.example.org/owa](https://mail.example.org/owa) do not let you log in, proceed with the steps below to correct the "Certificate Binding" in IIS Manager
|
||||
* Open "**Server Manager**" > Tools > "**Internet Information Services (IIS) Manager**"
|
||||
* Expand the "**Connections**" server tree on the left-hand side of the IIS Manager
|
||||
* Expand the "**Sites**" folder
|
||||
* Click on "**Default Web Site**"
|
||||
* On the right-hand Actions menu, click on "**Bindings...**"
|
||||
* A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
|
||||
* **Type**: https
|
||||
* **Host Name**: autodiscover.example.org
|
||||
* **Port**: 443
|
||||
* Double-click on the row, or click one then click the "**Edit**" button to open the settings for that endpoint
|
||||
* Under "**SSL Certificate**" > Make sure the certificate name matches the following format: "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**"
|
||||
* If it does not match the above, use the dropdown menu to correct it and click the "**OK**" button
|
||||
* **Type**: https
|
||||
* **Host Name**: mail.example.org
|
||||
* **Port**: 443
|
||||
* Repeat the steps seen above, except this time for "**mail.example.org**"
|
||||
* Click on "**Exchange Back End**"
|
||||
* On the right-hand Actions menu, click on "**Bindings...**"
|
||||
* A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
|
||||
* **Type**: https
|
||||
* **Host Name**: <blank>
|
||||
* **Port**: 444
|
||||
* Repeat the steps seen above, ensuring that the "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**" certificate is selected and applied
|
||||
* Click the "**OK**" button
|
||||
* On the left-hand menu under "**Connections**" in IIS Manager, click on the server name itself
|
||||
* (e.g. "**EXAMPLE-EXCHANGE (DOMAIN\\dptadmin**")
|
||||
* On the right-hand "**Actions**" menu > Under "Manage Server" > Select "Restart"
|
||||
* Wait for the IIS server to restart itself, then try accessing the webpages for Exchange that were exhibiting issues logging in
|
||||
|
||||
### Additional Documentation:
|
||||
|
||||
* [https://www.alitajran.com/install-free-lets-encrypt-certificate-in-exchange-server/](https://www.alitajran.com/install-free-lets-encrypt-certificate-in-exchange-server/)
|
||||
Reference in New Issue
Block a user