Foreword
The certification authority Let's Encrypt has been offering free certificates for some time now. In December 2015 I had already written an article on this topic, but at that time the Windows client was not yet working reliably, so that a detour via a Linux computer was necessary.
A little over a year has now passed and I have started a new attempt.
Test environment
The test environment is set up very simply. There are only two Windows Server 2016 that are connected to the Internet via a router:
One of the two servers is a domain controller, Exchange 2016 CU4 is installed on the other. Two port forwardings are set up on the router. Port 80 (http) and port 443 (https) are forwarded to the Exchange server.
Exchange uses the host name mail.frankysweb.de both internally and externally. Autodisover is published with the name autodiscover.frankysweb.de. Internal and external URLs are configured in the same way.
Exchange is already fully configured, so this article only deals with the Let's Encrypt part. So I need a certificate with two DNS names from Let's Encrypt: mail.frankysweb.de and autodiscover.frankysweb.de
Request a certificate from Let's Encrypt
There is now a whole range of clients that can be used to request certificates from Let's Encrypt. I opted for the ACMESharp client because it can be used via PowerShell.
The certificates are requested on the Exchange server. In order for the validation to be carried out, the Let's Encrypt server must be able to reach the Exchange server under the requested name via port 80 (HTTP).
The ACMESharp client must therefore be installed first. Installation is easy thanks to PSGallery and can be carried out directly from the PowerShell. To do this, a PowerShell is started as an administrator:
The ACMESharp client can now be installed with the following command:
Install-Module -Name ACMESharp -AllowClobber
Now the module can be loaded and a new storage for the Let's Encrypt certificates can be created:
Import modules ACMESharp Initialize-ACMEVault
Now you can register with Let's Encrypt, all you need to do is enter an e-mail address:
New-ACMERegistration -Contacts mailto:admin@frankysweb.de -AcceptTos
After registration, the certificate and the validation of the domain names can be prepared. I would like to have a certificate with two domain names (mail.frankysweb.de and autodiscover.frankysweb.de). The validation of the names should take place via HTTP:
New-ACMEIdentifier -Dns mail.frankysweb.de -Alias dns1
New-ACMEIdentifier -Dns autodiscover.frankysweb.de -Alias dns2
Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'Default Web Site' }
Complete-ACMEChallenge dns2 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'Default Web Site' }
Note: The parameter "-ChallengeType http-01" instructs Let's Encrypt to check the domain names mail.frankysweb.de and autodiscover.frankysweb.de via HTTP protocol. To do this, the Let's Encrypt servers establish an HTTP connection to these two names and attempt to retrieve one file for each domain name.
To ensure that autodisover.frankysweb.de and mail.frankysweb.de belong to me, Let's Encrypt will establish an HTTP connection to my Exchange server and assign these URLs to me:
- http://autodiscover.frankysweb.de/.well-known/acme-challange/<Zeichenfolge>
- http://mail.frankysweb.de/.well-known/acme-challange/<Zeichenfolge>
The corresponding directory can also be viewed in the IIS:
However, the default website of an Exchange server does not normally accept HTTP connections on port 80, so "SSL required" must be switched off for the ".well-known" directory. This can also be done quickly using PowerShell (or with the IIS Manager):
Set-WebConfigurationProperty -Location "Default Web Site/.well-known" -Filter 'system.webserver/security/access' -name "sslFlags" -Value None
If the router now forwards port 80 to the Exchange server and the DNS entries for autodiscover.frankysweb.de and mail.frankysweb.de point to the WAN IP address of the router, the validation can be carried out:
Submit-ACMEChallenge dns1 -ChallengeType http-01 Submit-ACMEChallenge dns2 -ChallengeType http-01
The validation now has the status "Pending". After a short time, the validation should have been completed and the status should be "Valid". The status of the validation can be checked with the following commands:
Update-ACMEIdentifier dns1 Update-ACMEIdentifier dns2
As soon as the validation has been completed, the certificate can be requested:
New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs dns1,dns2 -Alias multiNameCert Submit-ACMECertificate multiNameCert Update-ACMECertificate multiNameCert
Now the certificate is already in the Let's Encrypt store, but not yet in the Windows certificate store, so it is first exported from the Let's Encrypt store:
Get-ACMECertificate multiNameCert -ExportPkcs12 "D:\Certificate\cert1.pfx" -CertificatePassword <a href="mailto:'P@ssW0rd'">'P@ssW0rd' </a>
After exporting, the certificate is saved as a PFX file in the corresponding folder:
It can now be imported into the Windows certificate store:
$password = ConvertTo-SecureString -String "P@ssW0rd" -Force –AsPlainText Get-ChildItem -Path "D:\Zertifikat\cert1.pfx" | Import-PfxCertificate -CertStoreLocation cert:\localMachine\my –Exportable -Password $password
Now the fresh certificate only needs to be assigned to the Exchange Server:
Add-PSSnapin *exchange* Enable-ExchangeCertificate -Thumbprint "8ABEDEFDDCF0C82AFDE4E3FE3E80819FBE643AFD" -Services POP,IMAP,SMTP,IIS
And that was all. Certificate requested and integrated:
Conclusion
In my test environment it worked wonderfully, the client does what it is supposed to do and does so completely via PowerShell.
Let's Encrypt only issues certificates with a validity period of 3 months, so the certificates need to be replaced every 3 months. It was therefore important to me that the entire process could be mapped using PowerShell. This also allows the replacement of certificates to be completely automated. There will be corresponding articles on this.
Outlook
Maybe someone still knows this little script of mine?
Exchange Certificate Assistant
It's going to get an update...