On an Exchange 2016 server that had configured its certificate from Let's Encrypt with the WIN-ACME client, the installation of a CU was aborted with an error at step 16 of 18:
Here is the complete test of the error message:
Error:
The following error was generated when "$error.Clear();
Install-ExchangeCertificate -services „IIS, POP, IMAP“ -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
“ ausgeführt wurde: „Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleCryptographicException: Aufgrund einer Kryptografieausnahme konnte konnte kein Netzwerkdienstzugriff auf das Zertifikat mit dem Fingerabdruck 1xxxxxxxxxxxxxxxxxx erteilt werden. —> System.Security.Cryptography.CryptographicException: Zugriff verweigertfor Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
for Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
for Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, String websiteName, Boolean requireSsl, ITopologyConfigurationSession dataSession, Server server, List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
— Ende der internen Ausnahmestapelüberwachung —
for Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
for Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
for Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
for Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
for Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
bei Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)“.
The important part of the error message is as follows:
Due to a cryptography exception, network service access to the certificate with the fingerprint 1xxxxxxxxxxxxxxxxxxxxxx could not be granted
The problem at this point was that the export of the private key of the certificate was not allowed during configuration (PrivateKeyExportable). This property for the private key can be defined when importing or issuing the certificate via the certificate template:
With a Windows CA, the property can be set on the certificate template:
In this case, as already mentioned, the certificate was issued with the WIN-ACME Client. You can also set whether the private key should be exportable in the WIN-ACME Client. In the default setting, the private key is marked as non-exportable. This can be changed in the "settings.json" file of the WIN-ACME client:
The "PrivateKeyExportable" setting can be set to "True" in the settings.json:
Of course, this setting does not affect certificates that have already been issued, so the certificate must be renewed. The certificate can be renewed with the following command:
wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/" --force
After the certificate has been renewed, the Exchange setup can be restarted. The setup recognizes an incomplete installation and is then completed:
If the certificate was issued via a Windows CA, the template can be changed as already mentioned and the certificate renewed via MMC:
