5.7 KiB
Purpose: If you want to set up automatic Let's Encrypt SSL certificates on a Microsoft Exchange server, you have to go through a few steps to install the WinACME bot, and configure it to automatically renew certificates.
!!! note "ACME Bot Provisioning Considerations" This document assumes you want a fully-automated one-liner command for configuring the ACME Bot, it is also completely valid to go step-by-step through the bot to configure the SSL certificate, the IIS server, etc, and it will automatically create a Scheduled Task to renew on its own. The whole process is very straight-forward with most answers being the default option.
Download the Win-ACME Bot:
- Log into the on-premise Exchange Server via Datto RMM
- Navigate to: https://www.win-acme.com/
- On the top-right of the website, you will see a "Download" button with the most recent version of the Win-ACME bot
- Extract the contents of the ZIP file to "C:\Program Files (x86)\Lets Encrypt"
- Make the "Lets Encrypt" folder if it does not already exist
Configure settings_default.json:
- The next step involves us making a modification to the configuration of the Win-ACME bot that allows us to export the necessary private key data for Exchange
- Using a text editor, open the "settings_default.json" file
- Look for the setting called "PrivateKeyExportable" and change the value from "false" to "true"
- Save and close the file
Download and Install the SSL Certificate:
-
Open an administrative Command Line (DO NOT USE POWERSHELL)
-
Navigate to the Let's Encrypt bot directory:
CD "C:\Program Files (x86)\Lets Encrypt" -
Invoke the bot to automatically download and install the certificate into the IIS Server that Exchange uses to host the Exchange Server
- Be sure to change the placeholder subdomains to match the domain of the actual Exchange Server
- (e.g. "mail.example.org" | "autodiscover.example.org")
wacs.exe --target manual --host mail.example.org,autodiscover.example.org --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose - Be sure to change the placeholder subdomains to match the domain of the actual Exchange Server
-
When the command is running, it will ask for an email address for alerts and abuse notifications, just put "helpdesk@deeptree.tech" as the email address
-
If you run into any unexpected errors that result in anything other than exiting with a status "0", consult with Michael Levesque or Nicole Rappe to proceed
- Check that the domain of the Exchange Server is reachable on port 80 as Let's Encrypt uses this to build the cert.
- Searching the external IP of the server on Shodan will reveal all open ports.
Troubleshooting:
If you find that any of the services such as https://mail.example.org/ecp, https://autodiscover.example.org, or https://mail.example.org/owa do not let you log in, proceed with the steps below to correct the "Certificate Binding" in IIS Manager
* Open "**Server Manager**" > Tools > "**Internet Information Services (IIS) Manager**"
* Expand the "**Connections**" server tree on the left-hand side of the IIS Manager
* Expand the "**Sites**" folder
* Click on "**Default Web Site**"
* On the right-hand Actions menu, click on "**Bindings...**"
* A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
* **Type**: https
* **Host Name**: autodiscover.example.org
* **Port**: 443
* Double-click on the row, or click one then click the "**Edit**" button to open the settings for that endpoint
* Under "**SSL Certificate**" > Make sure the certificate name matches the following format: "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**"
* If it does not match the above, use the dropdown menu to correct it and click the "**OK**" button
* **Type**: https
* **Host Name**: mail.example.org
* **Port**: 443
* Repeat the steps seen above, except this time for "**mail.example.org**"
* Click on "**Exchange Back End**"
* On the right-hand Actions menu, click on "**Bindings...**"
* A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
* **Type**: https
* **Host Name**: <blank>
* **Port**: 444
* Repeat the steps seen above, ensuring that the "**\[Manual\] autodiscover.example.org @ YYYY/MM/DD**" certificate is selected and applied
* Click the "**OK**" button
* On the left-hand menu under "**Connections**" in IIS Manager, click on the server name itself
* (e.g. "**EXAMPLE-EXCHANGE (DOMAIN\\dptadmin**")
* On the right-hand "**Actions**" menu > Under "Manage Server" > Select "Restart"
* Wait for the IIS server to restart itself, then try accessing the webpages for Exchange that were exhibiting issues logging in