I had already announced that the certificate wizard would receive an update for Let's Encrypt. The version for Exchange 2016 is now ready.
The certificate wizard can fetch a certificate from Let's Encrypt with just a few entries and then renew it fully automatically.
So far I have tested this script with Windows Server 2016 and Exchange Server 2016. I am currently preparing tests for Server 2012 R2 and Exchange Server 2013/2016 and will adapt the version accordingly if necessary. So far there is only support for Server 2016 and Exchange 2016, other versions will follow.
The script works relatively simply and without much effort. However, there are the following requirements:
- Exchange Server must be configured with valid URLs / hostnames
- All host names must be accessible from the Internet
- The configured host names must be accessible via HTTP (port 80) from the Internet
The prerequisites apply so that Let's Encrypt can validate the domains. Internal host names, such as exsrv1.domain.local, cannot be used.
The certificate wizard reads the configured host names and then retrieves a corresponding SAN certificate from Let's Encrypt. The certificate is then activated automatically.
Since Let's Encrypt certificates are only valid for 3 months, a scheduled task can be created that renews the certificate 4 days before it expires. No user interaction is required for the renewal.
For tests, you can determine the time of renewal yourself (line 402 in the script). For example, 30 days could be entered here to allow sufficient time for error analysis. So far I have tested the script in three different Exchange environments, so far successfully. However, I am happy to receive feedback.
This is what the interface looks like with all the necessary entries:
The rest works automatically and takes about 2 minutes:
A task for renewal is created in the task planning. The task starts every day at 23:00 and renews the certificate 4 days before it expires:
Known problems:
- If you have not yet registered with Let's Encrypt, an error message will be generated, but the registration will then be carried out.
- There is no notification or error handling for the renewal yet
Dependencies:
- PowerShell IIS module (web administration)
- Exchange Management Shell
- ACMESharp PowerShell Client (will be installed if not available)
If you are interested, you can test the first version, of course there may still be various problems, so please do not use it in productive environments for the time being.
Please send feedback and problems via the contact form. In case of problems, please always attach screenshots or the output.
Note: A completely revised version can be found here (Beta):