Certificate for Exchange 2019

Hi all,

I have downloaded Certify SSL Manager and trying to generate certificate for Exchange Server. My domain is autotomask.cz, but I need to add alternative names in certificate - primary domain is “mail.autotomask.cz” and alternative names “autodiscover.autotomask.cz, autodiscover.domain.local, mailserver.domain.local, mailserver”.

I ran the “request certificate”, but it produced this output:

2019-09-12 15:02:17.684 +02:00 [ERR] BeginCertificateOrder: error creating order. Retries remaining:1 :: Certes.AcmeRequestException: Fail to load resource from ‘https://acme-v02.api.letsencrypt.org/acme/new-order’.
urn:ietf:params:acme:error:rejectedIdentifier: Error creating new order :: Cannot issue for “autodiscover.peugeot.local”: Name does not end in a public suffix (and 2 more problems. Refer to sub-problems for more information.)

I am using IIS 10 and operating system is Windows Server 2019 Standard (virtual machine).

Can anyone give me an advise please, if it is possible to generate certificate (up to 5 domains?) for these alternative names?

Many thanks in advance.

Hi @robajz

that's not possible.

You can create a certificate with mail.autotomask.cz and autodiscover.autotomask.cz. But the other names aren't unique. You can only create certificates with worldwide unique, public domain names.

The end of every domain name must be a public suffix (like .com, .org, .cz ...).

1 Like

One question in addition to @JuergenAuer’s reply could be: what client systems are accessing your mail server using these internal names? Why are they doing this instead of using the public name?

Hi guys,

thanks for quick reply. Our mailserver is accessing only from users, that are domain and externally users (smartphone, tablet, laptop) in the same time.

I thought, that there have to be included the same alternative names like original self-signed certificate on Exchange for seamless connectivity from local and external network/clients?

Yes, if the globally unique names for these servers do not work for internal users then certificates without the local names they expect to use won’t work.

You will need to fix things so that the global names for the servers work even locally (it isn’t necessary for data to travel over the public Internet, only that servers are addressed by a globally unique name) and then you can obtain certificates for those global names and everything will work.

Neither Let’s Encrypt nor a commercial CA is allowed to issue for those local names, if you need to use them for operational reasons you will need to use privately issued certificates to make that work and set everything up to trust those private certificates. But most people can arrange for the global names to work fine inside their organisation’s local networks. NB. It’s the name that needs to work, not the IP address.

1 Like

Hi Tialaramex,

thanks for reply. I thing that adding DNS zones for autodiscover.autotomask.cz/mail.autotomask.cz and pointing to internally Exchange mailserver should be enough. I have done this. Now if I try to ping from internal network to both of these names, it returns internal IP from mailserver.

I suppose this resolves the problem with alternative names?

Yes, you may need to push out config changes or tell staff / users to ensure they use the global name, but once their software is asking for autodiscover.automask.cz (for example) a certificate with the name autodiscover.automask.cz will match that and everything checks out as OK.

Hi, I also tried request the certificate only for public domain names, but it finished with these error:

2019-09-16 09:53:22.203 +02:00 [INF] Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/_3Wyhcyc34JZzmzdcFMHdI-8kL3CiuTCRHWgvKq-zRE []: 401
2019-09-16 09:53:24.756 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/_3Wyhcyc34JZzmzdcFMHdI-8kL3CiuTCRHWgvKq-zRE []: 401

The log messages say that it was able to connect to an HTTP server on mail.automask.cz but when it requested the server’s answer to an ACME challenge it received an HTTP 401 “Unauthorised” error instead of the challenge answer.

You should investigate how this happens and fix it. Perhaps for example this server is set to deny access to non-employees, and of course the Let’s Encrypt system isn’t an employee. In that sort of scenario you could look at adding a rule which says the /.well-known/acme-challenge/ directory may be accessed by anybody. This directory is a “well known” directory (reserved by the IETF) only for proving control over the names to certificate authorities with the ACME protocol, so it should not be a problem to let anybody see it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.