Académique Documents
Professionnel Documents
Culture Documents
https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Create-a-SAN-certificate-for-Exchange-2016
Before you can do anything else, we need to make sure that IIS will respond with the appropriate authorization responses externally. The ACME servers will
verify that you’re running the client on the server that you’re trying to get a certificate for. So the client software will create files in %SystemDrive%\inetpub
\wwwroot in a folder called ".well-known\acme-challenge".
By default, this directory won’t be visible to the outside world. You need to adjust IIS settings for this directory to allow access.
- Create the .well-known\acme-challenge folder in your wwwroot directory. By default, this path should be: C:\inetpub\wwwroot\.well-known\acme-
You will probably need to do this from the command line.
- In Internet Information Services (IIS) Manager, under Default Web Site, find the new acme-challenge folder you created.
- Open the SSL settings for that folder -> Uncheck “Require SSL”. Click Apply on the right side.
- Verify that the Authentication settings allow Anonymous Authentication.
- Check the acme-challenge directory and create or replace the web.config file with the content of the Web_Config.xml file in the client's roo t folder (c:
\letsencrypt in the example below).
- Make sure your server is reachable on port 80
Assuming you’ve installed the client on one of your Exchange 2016 servers, now you’ll need to run it. I ran it in PowerShell. Run PowerShell with
privileges. Then change your directory to be wherever you’ve installed the letsencrypt.exe client. Mine was installed in c: \letsencrypt
letsencrypt.exe --san
webmail.domain.com
This is the list of SANs on the certificate (repeat the primary host name):
webmail.domain.com,autodiscover.domain.com
This is the path to the Default Web Site root directory, notice, I’m using the same path the script mentions when it lists ou t the various sites. If you try to use
\inetpub\wwwroot, it’ll fail to create the certificate properly:
%SystemDrive%\inetpub\wwwroot
Choose yes to update the schedule task (I had an old one created during testing of the script. If you don’t fail a few times, like I did, you probably won’t be
prompted for this).
No to use a different user account. I’m logged in as the account I want to run this under, so I chose No.
If you select No above, the renewal will only run when you are logged on, if you want it to run when you are not logged on, s elect Y and enter your
Updating Website Bindings to Use the New Certificate At this point, the cert will be installed and registered in IIS, but the Default Web Site won’t switch to
automatically. You’ll need to right-click "Default Web Site". Choose "Edit Bindings...". Click on https, port 43, *. Click "Edit...". Change the SSL certificate to the
named "webmail.domain.com" which will be followed by the date you created the certificate using Let’s Encrypt. Click Ok. Try to access
https://webmail.domain.com/owa to verify it works.
Final Steps
Now that you’ve installed this cert on one of your Exchange servers, you’ll need to install this cert on the other servers in your lab.
$env:userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Página 1 de Exchange
Mine was called webmail.domain.com-all.pfx
Copy that to your other machine, import it. I imported it into the System context, rather than local user. Once imported, jus t like above, you need to edit the
bindings in IIS to use the webmail.domain.com certificate. Once you’ve done this on all of your servers, your lab should be a ll ready to use SSL.
Other Ways To Run
Auto Install on IIS
You can also have the client automatically create and install the certificate on IIS if you have HTTP bindings for the host n ame(s). Instead of selecting M
Site ID for the Default Web Site 1. It will find the web root automatically, create the .well -known/acme-challenge/ folders, create the web.config file,
site, generate the certificate, create/ update the IIS HTTPS bindings for the new certificate.
Centralized SSL Support
If you are using IIS 8.0 or greater you can take advantage of Centralized Certificates Stores. Add the --centralsslstore C:\Central_SSL\ argument when you run
client and the client will save the certificate there. You can also use this with the Auto Install method above to install it automatically and use the central ssl
Verification
To make sure all is working properly, I’d encourage you to use the connectivity testing tools. The Microsoft Autodiscover and ActiveSync Autodiscover tests
really useful for testing this out. With Outlook 2016 requiring the use of Autodiscover to connect to Exchange, verifying tha t this works properly is an
step is making sure your environment is setup correctly.
Página 2 de Exchange
Exchange Certificate SSL Let's encrypt
Monday 26 September 2016
11:14
- Create the .well-known\acme-challenge folder in your wwwroot directory. By default, this path should be: C:\inetpub\wwwroot\.well-known\acme-
You will probably need to do this from the command line.
- In Internet Information Services (IIS) Manager, under Default Web Site, find the new acme-challenge folder you created.
- Open the SSL settings for that folder -> Uncheck “Require SSL”. Click Apply on the right side.
- Verify that the Authentication settings allow Anonymous Authentication.
- Check the acme-challenge directory and create or replace the web.config file with the content of the Web_Config.xml file in the client's root folder (c:
in the example below).
- Make sure your server is reachable on port 80
Run PowerShell with administrative privileges. Then change your directory to be wherever you’ve installed the letsencrypt.exe client. Mine was installed in c:
\letsencrypt
letsencrypt.exe --san
webmail.domain.com
This is the list of SANs on the certificate (repeat the primary host name):
webmail.domain.com,autodiscover.domain.com,mail.domain.com
%SystemDrive%\inetpub\wwwroot
Export it:
Go to the certificate you just imported, right-click -> ALL TASKS -> EXPORT
Select YES to export the private key (this is very important!)
Make sure "INCLUDE ALL…" and "EXPORT ALL…" are checked!
Set a password, otherwise you won't be able to install in on your Exchange server
Página 3 de Exchange
Exchange Certificate SSL Let's encrypt PT-BR
03 May 2017
20:55
# Requisitos:
- Crie a pasta .well-known\acme-challenge no diretório wwwroot. Por padrão, esse caminho deve ser: "C:\inetpub\wwwroot\.well-known\acme-challenge". Você provavelmente precisará fazer isso a partir da linh
comando.
- No IIS, em Default Web Site, localize a nova pasta acme-challenge que você criou.
- Abra as configurações de SSL para essa pasta -> Desmarque "Exigir SSL". Clique em Aplicar no lado direito.
- Verifique se as configurações de Autenticação permitem Autenticação Anônima.
- Verifique o diretório acme-challenge e crie ou substitua o arquivo linuxg pelo conteúdo do arquivo Web_Config.xml na pasta raiz do cliente (c: \letsencrypt no exemplo abaixo).
- Verifique se o servidor está acessível na porta 80 (essa porta so precisa estar aberta no momento da geracao do certificado).
# Executando o Cliente:
Execute o PowerShell com privilégios administrativos. Em seguida, altere o seu diretório para estar onde quer que você tenha instalado o cliente letsencrypt.exe. Mine foi instalado em c:\letsencrypt
Letsencrypt.exe --san
Webmail.domain.com
%SystemDrive%\inetpub\wwwroot
# Importar o certificado:
Abrir MMC -> Certificados -> MINHA CONTA DE USUÁRIO
Em PESSOAL vá para TODAS AS TAREFAS -> IMPORTAR
Deixe a senha em branco
Durante a importação, certifique-se de que "MARK THIS KEY AS ..." e "INCLUDE ALL ..." estão marcados!
# Exportá-lo:
Vá para o certificado que você acabou de importar, clique com o botão direito do mouse -> TODAS AS TAREFAS -> EXPORTAR
Selecione YES para exportar a chave privada (isso é muito importante!)
Verifique se "INCLUDE ALL ..." e "EXPORT ALL ..." estão marcados!
Defina uma senha, caso contrário você não poderá instalar no seu servidor Exchange
# Apos isso voce pode acessar o EMC e importar esse .pfx para os seus servidores Exchange
Página 4 de Exchange