Hello All
Today we are going to see, how to acquire the free SSL certificate from Lets's Encrypt certificate Authority. This certificate can be used in our exchange servers , however most likely to be in testing environment
Personally i didn' t see in any of the lets's encrypt free certificate in production, however its good to learn the new things in the market . In production mostly the SSL CA's giants like DIGI, COMODO, AWS certificate Manager can be found in exchange environments
Here we are going through the steps to obtain the SSL certificate from CA and The renewal process is manual for every 90 days. - Personally i tried to do the auto renewal process, but its failed for me during authentication
Who is Let’s Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
They give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way they can. They do this because we want to create a more secure and privacy-respecting Web.
More Info about Lets Encyrpt
Win ACME Client
This is tool which can help us to get the certificate from lets encrypt in an interactive menu
GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
A simple ACME client for Windows - for use with Let's Encrypt.
Create a folder named Lets Encrypt in C:\Program Files. Extract the files in the .zip to the folder C:\Program Files\Lets Encrypt.
Edit the settings_default.json before you request a certificate from Let’s Encrypt. This will automatically import the certificate’s private key to the certificate:
Go to path C:\Program Files\Lets Encrypt
- Open settings_default.json with Notepad
- Set PrivateKeyExportable to true
- Save the file
To start the application, Right-click the application file wacs. Click run as administrator
A simple Windows ACMEv2 client (WACS)
Software version 2.2.7.1612 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: m
Running in mode: Interactive, Advanced
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.
1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort
How shall we determine the domain(s) to include in the certificate?: 2
Description: A host name to get a certificate for. This may be a
comma-separated list.
Host: mail.cloudmonkeys.xyz,autodiscover.cloudmonkeys.xyz
Source generated using plugin Manual: mail.cloudmonkeys.xyz and 1 alternatives
Friendly name '[Manual] mail.cloudmonkeys.xyz'. <Enter> to accept or type desired name: <Enter>
By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.
1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort
Would you like to split this source into multiple certificates?: 4
The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.
1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records manually (auto-renew not possible)
7: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns] Create verification records with your own script
9: [tls-alpn] Answer TLS verification request from win-acme
C: Abort
How would you like prove ownership for the domain(s)?: 6
After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
C: Abort
What kind of private key should be used for the certificate?: 2
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
How would you like to store the certificate?: 4
1: [WebHosting] - Dedicated store for IIS
2: [My] - General computer store (for Exchange/RDS)
3: [Default] - Use global default, currently WebHosting
Choose store to use, or type the name of another unlisted store: 2
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
Would you like to store it in another way too?: 5
With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps
Which installation step should run first?: 2
Description: Path to script file to run after retrieving the
certificate. This may be any executable file or a
Powershell (.ps1) script.
File: ./Scripts/ImportExchange.ps1
{CertCommonName}: Common name (primary domain name)
{CachePassword}: .pfx password
{CacheFile}: .pfx full path
{CertFriendlyName}: Certificate friendly name
{CertThumbprint}: Certificate thumbprint
{StoreType}: Type of store (e.g. CentralSsl, CertificateStore,
PemFiles, ...)
{StorePath}: Path to the store
{RenewalId}: Renewal identifier
{OldCertCommonName}: Common name (primary domain name) of the previously
issued certificate
{OldCertFriendlyName}: Friendly name of the previously issued certificate
{OldCertThumbprint}: Thumbprint of the previously issued certificate
{vault://json/mysecret}: Secret from the vault
Description: Parameters for the script to run after retrieving the
certificate. Refer to
https://win-acme.com/reference/plugins/installation/script
for further instructions.
Parameters: '{CertThumbprint}' 'IIS,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'
1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps
Add another installation step?: 3
Plugin Manual generated source mail.cloudmonkeys.xyz with 2 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[autodiscover.cloudmonkeys.xyz] Authorizing...
[autodiscover.cloudmonkeys.xyz] Authorizing using dns-01 validation (Manual)
Domain: autodiscover.cloudmonkeys.xyz
Record: _acme-challenge.autodiscover.cloudmonkeys.xyz
Type: TXT
Content: "Rrxknkm4RTri-NxAqaRN9sg0itLrtKDFDJx79A2EAU4"
Note: Some DNS managers add quotes automatically. A single set
is needed.
Go to your external DNS. Mine is Godaddy
create a TXT record
Name : _acme-challenge.autodiscover.cloudmonkeys.xyz
Value : "Rrxknkm4RTri-NxAqaRN9sg0itLrtKDFDJx79A2EAU4"
Please press <Enter> after you've created and verified the record
[autodiscover.cloudmonkeys.xyz] [97.74.108.19] No TXT records found
[autodiscover.cloudmonkeys.xyz] [173.201.76.19] No TXT records found
[autodiscover.cloudmonkeys.xyz] Preliminary validation failed on all nameservers
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
Please Note :It take Few minutes for validate the each records against your SAN Name
1: Retry check
2: Ignore and continue
3: Abort
How would you like to proceed?: 1
[autodiscover.cloudmonkeys.xyz] Preliminary validation succeeded
[autodiscover.cloudmonkeys.xyz] Record Rrxknkm4RTri-NxAqaRN9sg0itLrtKDFDJx79A2EAU4 successfully created
[autodiscover.cloudmonkeys.xyz] Preliminary validation succeeded
[autodiscover.cloudmonkeys.xyz] Authorization result: valid
Domain: autodiscover.cloudmonkeys.xyz
Record: _acme-challenge.autodiscover.cloudmonkeys.xyz
Type: TXT
Content: "Rrxknkm4RTri-NxAqaRN9sg0itLrtKDFDJx79A2EAU4"
Please press <Enter> after you've deleted the record
You my delete the record in external DNS
[autodiscover.cloudmonkeys.xyz] Record Rrxknkm4RTri-NxAqaRN9sg0itLrtKDFDJx79A2EAU4 deleted
[mail.cloudmonkeys.xyz] Authorizing...
[mail.cloudmonkeys.xyz] Authorizing using dns-01 validation (Manual)
For another SAN Name mail.cloudmonkeys.xyz
Domain: mail.cloudmonkeys.xyz
Record: _acme-challenge.mail.cloudmonkeys.xyz
Type: TXT
Content: "vpe7_C1euCefYRg9_-nvp2GTWuiwhRZY7uvV3IkWrg8"
Note: Some DNS managers add quotes automatically. A single set
is needed.
Please press <Enter> after you've created and verified the record
Go to your external DNS. Mine is Godaddy
Create the TXT record
Name : _acme-challenge.mail.cloudmonkeys.xyz
Value : "vpe7_C1euCefYRg9_-nvp2GTWuiwhRZY7uvV3IkWrg8"
[mail.cloudmonkeys.xyz] [97.74.108.19] No TXT records found
[mail.cloudmonkeys.xyz] [173.201.76.19] No TXT records found
[mail.cloudmonkeys.xyz] Preliminary validation failed on all nameservers
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
1: Retry check
2: Ignore and continue
3: Abort
How would you like to proceed?: 1
[mail.cloudmonkeys.xyz] [97.74.108.19] No TXT records found
[mail.cloudmonkeys.xyz] [173.201.76.19] No TXT records found
[mail.cloudmonkeys.xyz] Preliminary validation failed on all nameservers
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
1: Retry check
2: Ignore and continue
3: Abort
How would you like to proceed?: 1
[mail.cloudmonkeys.xyz] [173.201.76.19] No TXT records found
[mail.cloudmonkeys.xyz] Preliminary validation failed on 1/2 nameservers
The correct record has not yet been found by the local resolver. That means
it's likely the validation attempt will fail, or your DNS provider needs a
little more time to publish and synchronize the changes.
1: Retry check
2: Ignore and continue
3: Abort
How would you like to proceed?: 1
[mail.cloudmonkeys.xyz] Preliminary validation succeeded
[mail.cloudmonkeys.xyz] Record vpe7_C1euCefYRg9_-nvp2GTWuiwhRZY7uvV3IkWrg8 successfully created
[mail.cloudmonkeys.xyz] Preliminary validation succeeded
[mail.cloudmonkeys.xyz] Authorization result: valid
Domain: mail.cloudmonkeys.xyz
Record: _acme-challenge.mail.cloudmonkeys.xyz
Type: TXT
Content: "vpe7_C1euCefYRg9_-nvp2GTWuiwhRZY7uvV3IkWrg8"
Please press <Enter> after you've deleted the record
[mail.cloudmonkeys.xyz] Record vpe7_C1euCefYRg9_-nvp2GTWuiwhRZY7uvV3IkWrg8 deleted
Downloading certificate [Manual] mail.cloudmonkeys.xyz
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] mail.cloudmonkeys.xyz @ 2024/2/9 to store My
Installing with Script...
Script ./Scripts/ImportExchange.ps1 starting with parameters '4E7CA337EB47DCE22F50B632BD52AC4D3C928775' 'IIS,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\rwoepromxUGs10oFwi8lug-main-6090e7606d45c653f37b08863521e26a4bdbe1cd-temp.pfx' '********' '[Manual] mail.cloudmonkeys.xyz @ 2024/2/9'
Script finished
Adding Task Scheduler entry with the following settings
- Name win-acme renew (acme-v02.api.letsencrypt.org)
- Path C:\Program Files\Lets Encrypt
- Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
- Start at 09:00:00
- Random delay 04:00:00
- Time limit 02:00:00
Do you want to specify the user the task will run as? (y/n*) - yes
Enter the username (Domain\username): cloudmonkeys\administrator
Enter the user's password: ************
Adding renewal for [Manual] mail.cloudmonkeys.xyz
Next renewal due after 2024/4/4
Certificate [Manual] mail.cloudmonkeys.xyz created
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Please choose from the menu: Q
Open the browser and check the OWA / ECP . Certificate from Letsencrypt must be show and valid
and we need to follow the same steps for each renewal.
Check the task scheduler on your local exchange server the renewal process runs daily
I hope this blogs helps us for messaging admin to get the free SSL certificate from let's encrypt org. Happy Learning😃
Comments
Post a Comment