Error Creating SSL for Exchange Server 2019

I get the following error when trying to create an SSL for my Exchange Server 2019

First chance error calling into ACME server, retrying with new nonce...
Cached order has status invalid, discarding
[autodiscover.bmcg.net.au] Authorizing...
[autodiscover.bmcg.net.au] Authorizing using http-01 validation (SelfHosting)
[autodiscover.bmcg.net.au] Authorization result: invalid
[autodiscover.bmcg.net.au] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2603:1036:906:14::8: Invalid response from http://autodiscover.bmcg.net.au/.well-known/acme-challenge/vC843iFQIQ288p3lMF4wsGaJHjLiEp1mhsqDUR7IAmM: 403",
"status": 403
}

I have used the tool Win-ACME Version 2.1.22.1267 Pluggable

Setup as follows

M - Create Certification (Full Options)
2 - Manual Input
Host Names For Certificate: mail.businessmomentumcapital.com,mail.netronic.com.au,mail.businessturnaroundguys.com,mail.bmcg.net.au,mail.sensationalscents.net.au,mail.thecreativehub.com.au,mail.closingforcoaches.com,autodiscover.businessmomentumcapital.com,autodiscover.netronic.com.au,autodiscover.businessturnaroundguys.com,autodiscover.bmcg.net.au,autodiscover.sensationalscents.net.au,autodiscover.thecreativehub.com.au,autodiscover.closingforcoaches.com
Friendly Name: mail.businessmomentumcapital.com
2 - http-01 - Server Verification Files From Memory
2 - RSA Key
4 - Windows Certificate Store
2 - General Computer Store (Exchange/RDS)
5 - No Additional Store Steps
1 - Create or Update bindings in IIS
1 - Default Website
2 - Start External Script or Program - using ImportExchange.v2.ps1
Use Parameters - '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'
3 - No additional installation steps

Then attempts to run script and gives the error as outlined above.

If anyone can help me fix the issue it would be greatly appreciated.

We are running Windows Server 2019 Standard Edition with Exchange Server 2019 Standard Edition.

Regards

Andrew Mathieson-Blakely
Senior Technical Engineer
Netronic Solutions

Welcome to the community @netronic

I'll start by saying I know very little about Exchange or Windows Server. But, maybe this is enough to help while waiting for another volunteer ...

It looks like one of your domains is not configured to process the HTTP challenge request. When you request a cert the Let's Encrypt server will make a request to ensure you have control of that domain name.

This error says that the LE server tried to use that IPv6 address to reach your autodiscover.bmcg.net.au domain but got an http 403 reply instead of the an http 200 OK with the proper challenge data setup by your acme client.

And, indeed, if I try a similar request I should receive an http 404 (not found) but also get a 403.

curl -I http://autodiscover.bmcg.net.au/.well-known/acme-challenge/ForumTest123

HTTP/1.1 403 Forbidden
Content-Length: 0
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 02 Jun 2022 17:06:33 GMT

The DNS for that domain has several CNAMEs that end up pointing to a subdomain at office.com. That seems suspicious to me, but, again, I don't know much about your environ and Exchange servers.

Hope this helps.

Given the FQDNs are CNAMEd to Office.com/Outlook.com, you won't be able to use HTTP authentication to validate.

That said, you might be able to use DNS authentication.
[which depends on the DSP (DNS Service Provider) used and ACME client]

Hey Everyone

Thanks for your help you put me on the right path and the certifcate issues have now been sorted out.

Regards

Andrew

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.