I have started to revise the "Exchange Certificate Assistant". The previous version is no longer compatible with the current ACMESharp module and therefore requires an old version of the module. However, since some relevant parts of the ACMESharp module have changed in the meantime, it is time for a new version of the "Exchange Certificate Assistant".
I have therefore fundamentally revised the "Certificate Assistant" and also introduced a few improvements:
- A log file is generated
- The log file can be sent by e-mail
- The log file is available in CSV format and can therefore be further processed and analyzed more easily
- Error handling is now almost universal in the script
- The script is compatible with the current ACMESharp module version (currently version 0.9.1.326)
But there are also a few places where I still need to tweak:
- Currently, the script has only been tested with Exchange 2016 on Server 2016
- Support for Server 2012 R2 and Exchange 2013 must be tested or added
- Clean up the old / expired certificates
- Creating a planned task for the renewal is no longer necessary
Let's Encrypt certificates are known to be valid for 3 months. In the old version of the script, a scheduled task was created that renews the certificate. This should continue to be the case, but the task should determine when the certificate is renewed. This only requires the script to be called up again.
I imagine it to be something like this:
- First call of the script by Admininistrator
- Script installs necessary requirements
- Script configures the certificate
- Administrator creates a scheduled task that starts the script every 60 days, for example
- Script renews certificate automatically, without user interaction
I create my own versions of the script for Exchange 2013 and Exchange 2010, so fewer "version dependencies" have to be taken into account within a script. I think this will make it a little easier.
Of course, there are still a few requirements:
- Exchange 2016 on Server 2016 (support for other Exchange and OS versions to follow)
- Exchange 2016 must be accessible on port 80 (http) and port 443 (https) from the Internet
- Exchange 2016 must be configured with valid FQDNs, FQDNs ending in .local and .internal (etc) are not supported
- All configured Exchange 2016 FQDNs must be accessible from the Internet (internal and external FQDNs)
According to current best practice, internal and external FQDNs should be the same anyway, so the requirements should not normally be a problem. The internal server name is irrelevant, only the configured URLs of the Exchange services are relevant for the script. The corresponding host names are automatically determined by the script, but can also be permanently stored in the script if required.
I have created a video of a first run on a freshly configured Exchange 2016 server:
I will leave the download for the old version online for the time being. I would be happy if someone is willing to test the current version. If there are any problems, please send me the log file and screenshots of the error message by email. Please only test in connection with Exchange 2016, I will test other Exchange versions in my test environment first.
Here is the download, which still has a bit of a beta character:
I will try to work through the other points on my ToDo list as quickly as possible. However, I would be pleased to receive as many log files as possible from other environments. Log files in which the script has run without errors can also help with improvements. As always, suggestions for improvement and criticism are also welcome by e-mail via the contact form.
Update 27.02.18
In my test environment, the certificate is also renewed automatically; I have created a scheduled task for this purpose. As described above, the script does not create the task automatically. The following task worked for me without any problems:
The executing user must have local admin rights on the server, but of course also corresponding Exchange authorizations. I have used the Domain Administrator here for testing, I still have to test exactly which rights are required. The settings that I have changed can be seen in the screenshots.
Ich habe für meinen Test einen Trigger auf den heutigen Tag gesetzt, es funktioniert hier aber auch ein entsprechend anderer Trigger. Let’s Encrypt Zertifikate sind 3 Monate lang gültig, man könnte also alle 2 Monate das Zertifikat tauschen und hat dann noch genug Zeit zu reagieren, falls etwas schief geht.
The script is then simply triggered as an action. Path to the Powershell:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Als Argument wird der Pfad zum Script angegeben, in meinem Fall „C:\CertificateAssistant\CertificateAssistant.ps1“
I will now tinker with the script some more and install test environments for Exchange 2010 and Exchange 2013.
Update 04.03.2018
I have just uploaded a new version. Now with support for Exchange 2013 and Server 2012 R2. See here:
https://www.frankysweb.de/certificate-assistant-jetzt-auch-fr-exchange-2013-und-server-2012-r2/