From e3937ff9106540d6e5f25b9fc87b70ed3bbfdb76 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Wed, 23 Apr 2025 18:21:20 -0600 Subject: [PATCH] Add Servers/Microsoft Exchange/Configuring ACME LetsEncrypt Bot.md --- .../Configuring ACME LetsEncrypt Bot.md | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 Servers/Microsoft Exchange/Configuring ACME LetsEncrypt Bot.md diff --git a/Servers/Microsoft Exchange/Configuring ACME LetsEncrypt Bot.md b/Servers/Microsoft Exchange/Configuring ACME LetsEncrypt Bot.md new file mode 100644 index 0000000..4d796c3 --- /dev/null +++ b/Servers/Microsoft Exchange/Configuring ACME LetsEncrypt Bot.md @@ -0,0 +1,70 @@ +**Purpose**: If you want to set up automatic Let's Encrypt SSL certificates on a Microsoft Exchange server, you have to go through a few steps to install the WinACME bot, and configure it to automatically renew certificates. + +!!! note "ACME Bot Provisioning Considerations" + This document assumes you want a fully-automated one-liner command for configuring the ACME Bot, it is also completely valid to go step-by-step through the bot to configure the SSL certificate, the IIS server, etc, and it will automatically create a Scheduled Task to renew on its own. The whole process is very straight-forward with most answers being the default option. + +### Download the Win-ACME Bot: + +* Log into the on-premise Exchange Server via Datto RMM +* Navigate to: [https://www.win-acme.com/](https://www.win-acme.com/) + * On the top-right of the website, you will see a "**Download**" button with the most recent version of the Win-ACME bot +* Extract the contents of the ZIP file to "**C:\\Program Files (x86)\\Lets Encrypt**" + * Make the "**Lets Encrypt**" folder if it does not already exist + +### Configure `settings_default.json`: + +* The next step involves us making a modification to the configuration of the Win-ACME bot that allows us to export the necessary private key data for Exchange +* Using a text editor, open the "**settings\_default.json**" file + * Look for the setting called "**PrivateKeyExportable**" and change the value from "**false**" to "**true**" + * Save and close the file + +### Download and Install the SSL Certificate: + +* Open an administrative Command Line (DO NOT USE POWERSHELL) +* Navigate to the Let's Encrypt bot directory: `CD "C:\Program Files (x86)\Lets Encrypt"` +* Invoke the bot to automatically download and install the certificate into the IIS Server that Exchange uses to host the Exchange Server + * Be sure to change the placeholder subdomains to match the domain of the actual Exchange Server + * (e.g. "**mail.example.org**" | "**autodiscover.example.org**") + ``` + wacs.exe --target manual --host mail.example.org,autodiscover.example.org --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose + ``` + +* When the command is running, it will ask for an email address for alerts and abuse notifications, just put ["helpdesk@deeptree.tech"](http://%22helpdesk@deeptree.tech%22) as the email address +* If you run into any unexpected errors that result in anything other than exiting with a status "0", consult with Michael Levesque or Nicole Rappe to proceed + * Check that the domain of the Exchange Server is reachable on port 80 as Let's Encrypt uses this to build the cert. + * Searching the external IP of the server on [Shodan](https://www.shodan.io/) will reveal all open ports. + +### Troubleshooting: +If you find that any of the services such as [https://mail.example.org/ecp](https://mail.example.org/ecp), [https://autodiscover.example.org](https://autodiscover.example.org), or [https://mail.example.org/owa](https://mail.example.org/owa) do not let you log in, proceed with the steps below to correct the "Certificate Binding" in IIS Manager + * Open "**Server Manager**" > Tools > "**Internet Information Services (IIS) Manager**" + * Expand the "**Connections**" server tree on the left-hand side of the IIS Manager + * Expand the "**Sites**" folder + * Click on "**Default Web Site**" + * On the right-hand Actions menu, click on "**Bindings...**" + * A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following: + * **Type**: https + * **Host Name**: autodiscover.example.org + * **Port**: 443 + * Double-click on the row, or click one then click the "**Edit**" button to open the settings for that endpoint + * Under "**SSL Certificate**" > Make sure the certificate name matches the following format: "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**" + * If it does not match the above, use the dropdown menu to correct it and click the "**OK**" button + * **Type**: https + * **Host Name**: mail.example.org + * **Port**: 443 + * Repeat the steps seen above, except this time for "**mail.example.org**" + * Click on "**Exchange Back End**" + * On the right-hand Actions menu, click on "**Bindings...**" + * A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following: + * **Type**: https + * **Host Name**: + * **Port**: 444 + * Repeat the steps seen above, ensuring that the "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**" certificate is selected and applied + * Click the "**OK**" button + * On the left-hand menu under "**Connections**" in IIS Manager, click on the server name itself + * (e.g. "**EXAMPLE-EXCHANGE (DOMAIN\\dptadmin**") + * On the right-hand "**Actions**" menu > Under "Manage Server" > Select "Restart" + * Wait for the IIS server to restart itself, then try accessing the webpages for Exchange that were exhibiting issues logging in + +### Additional Documentation: + +* [https://www.alitajran.com/install-free-lets-encrypt-certificate-in-exchange-server/](https://www.alitajran.com/install-free-lets-encrypt-certificate-in-exchange-server/) \ No newline at end of file