**Purpose**: If you want to set up automatic Let's Encrypt SSL certificates on a Microsoft Exchange server, you have to go through a few steps to install the WinACME bot, and configure it to automatically renew certificates.

!!! note "ACME Bot Provisioning Considerations"
    This document assumes you want a fully-automated one-liner command for configuring the ACME Bot, it is also completely valid to go step-by-step through the bot to configure the SSL certificate, the IIS server, etc, and it will automatically create a Scheduled Task to renew on its own.  The whole process is very straight-forward with most answers being the default option.

### Download the Win-ACME Bot:

*   Log into the on-premise Exchange Server via Datto RMM
*   Navigate to: [https://www.win-acme.com/](https://www.win-acme.com/)
    *   On the top-right of the website, you will see a "**Download**" button with the most recent version of the Win-ACME bot
*   Extract the contents of the ZIP file to "**C:\\Program Files (x86)\\Lets Encrypt**"
    *   Make the "**Lets Encrypt**" folder if it does not already exist

### Configure `settings_default.json`:

*   The next step involves us making a modification to the configuration of the Win-ACME bot that allows us to export the necessary private key data for Exchange
*   Using a text editor, open the "**settings\_default.json**" file
    *   Look for the setting called "**PrivateKeyExportable**" and change the value from "**false**" to "**true**"
    *   Save and close the file

### Download and Install the SSL Certificate:

*   Open an administrative Command Line (DO NOT USE POWERSHELL)
*   Navigate to the Let's Encrypt bot directory: `CD "C:\Program Files (x86)\Lets Encrypt"`
*   Invoke the bot to automatically download and install the certificate into the IIS Server that Exchange uses to host the Exchange Server
    *   Be sure to change the placeholder subdomains to match the domain of the actual Exchange Server
        *   (e.g. "**mail.example.org**" | "**autodiscover.example.org**")
    ```
    wacs.exe --target manual --host mail.example.org,autodiscover.example.org --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose
    ```
        
*   When the command is running, it will ask for an email address for alerts and abuse notifications, just put ["helpdesk@deeptree.tech"](http://%22helpdesk@deeptree.tech%22) as the email address
*   If you run into any unexpected errors that result in anything other than exiting with a status "0", consult with Michael Levesque or Nicole Rappe to proceed
    *   Check that the domain of the Exchange Server is reachable on port 80 as Let's Encrypt uses this to build the cert.
    *   Searching the external IP of the server on [Shodan](https://www.shodan.io/) will reveal all open ports.

### Troubleshooting:
If you find that any of the services such as [https://mail.example.org/ecp](https://mail.example.org/ecp), [https://autodiscover.example.org](https://autodiscover.example.org), or [https://mail.example.org/owa](https://mail.example.org/owa) do not let you log in, proceed with the steps below to correct the "Certificate Binding" in IIS Manager
    *   Open "**Server Manager**" > Tools > "**Internet Information Services (IIS) Manager**"
    *   Expand the "**Connections**" server tree on the left-hand side of the IIS Manager
    *   Expand the "**Sites**" folder
        *   Click on "**Default Web Site**"
            *   On the right-hand Actions menu, click on "**Bindings...**"
            *   A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
                *   **Type**: https
                *   **Host Name**: autodiscover.example.org
                *   **Port**: 443
                    *   Double-click on the row, or click one then click the "**Edit**" button to open the settings for that endpoint
                    *   Under "**SSL Certificate**" > Make sure the certificate name matches the following format: "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**"
                    *   If it does not match the above, use the dropdown menu to correct it and click the "**OK**" button
                *   **Type**: https
                *   **Host Name**: mail.example.org
                *   **Port**: 443
                    *   Repeat the steps seen above, except this time for "**mail.example.org**"
        *   Click on "**Exchange Back End**"
            *   On the right-hand Actions menu, click on "**Bindings...**"
            *   A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
                *   **Type**: https
                *   **Host Name**: <blank>
                *   **Port**: 444
                    *   Repeat the steps seen above, ensuring that the "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**" certificate is selected and applied
                    *   Click the "**OK**" button
        *   On the left-hand menu under "**Connections**" in IIS Manager, click on the server name itself
            *   (e.g. "**EXAMPLE-EXCHANGE (DOMAIN\\dptadmin**")
            *   On the right-hand "**Actions**" menu > Under "Manage Server" > Select "Restart"
            *   Wait for the IIS server to restart itself, then try accessing the webpages for Exchange that were exhibiting issues logging in

### Additional Documentation:

*   [https://www.alitajran.com/install-free-lets-encrypt-certificate-in-exchange-server/](https://www.alitajran.com/install-free-lets-encrypt-certificate-in-exchange-server/)