Error message installing exchange cert (acme installer)


#1

Hi there,

I am having some issues installing a SAN certificate on my new exchange server and getting the below error message;

c:\acme>letsencrypt.exe --plugin manual --manualhost mail.domain.com,server1.domain.com,autodiscover.domain.com --validation selfhosting --installation iis,manual --installationsiteid 1 --script “./Scripts/PSScript.bat” --scriptparameters “./Scripts/ImportExchange.ps1 {5} IIS,SMTP,IMAP 1”

[INFO] A Simple ACME Client for Windows (WACS)
[INFO] Software version 1910.1.6661.39349 (RELEASE)
[INFO] IIS version 10.0
[INFO] ACME server https://acme-v01.api.letsencrypt.org/
[INFO] Please report issues at https://github.com/PKISharp/win-acme

[INFO] Running in Unattended mode
[INFO] Plugin Manual generated target [Manual] [3 bindings - mail.domain.com, …]
[INFO] Authorize identifier: mail.domain.com
[INFO] Cached authorization result: valid
[INFO] Authorize identifier: rhamfs01.domain.com
[INFO] Cached authorization result: valid
[INFO] Authorize identifier: autodiscover.domain.com
[INFO] Cached authorization result: valid
[WARN] Using cached certificate for mail.domain.com 2018/4/13 19:58:11 PM. To force issue of a new certificate within 24 hours, delete the .pfx file from the CertificatePath or run with the --forcerenewal switch. Be ware that you might run into rate limits doing so.
[WARN] Certificate with thumbprint 9AFF34130845B597CDF02CA3E3A0AB7494F7B8F7 is already in the store
[INFO] Installation step 1/2: IIS…
[INFO] Committing 1 https binding changes to IIS
[INFO] IIS will serve the new certificates after the Application Pool IdleTimeout has been reached.
[INFO] Installation step 2/2: Manual…
[INFO] Script ./Scripts/PSScript.bat starting with parameters ./Scripts/ImportExchange.ps1 9AFF34130845B597CDF02CA3E3A0AB7494F7B8F7 IIS,SMTP,IMAP 1
[EROR] Script error: File C:\acme\Scripts\ImportExchange.ps1 cannot be loaded. The file C:\acme\Scripts\ImportExchange.ps1 is not digitally
[EROR] Script error: signed. You cannot run this script on the current system. For more information about running scripts and setting
[EROR] Script error: execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
[EROR] Script error: + CategoryInfo : SecurityError: (:slight_smile: [], ParentContainsErrorRecordException
[EROR] Script error: + FullyQualifiedErrorId : UnauthorizedAccess
[INFO]
c:\acme>REM Generic batch script to execute powershell scripts along with positional parameters

c:\acme>REM Pass path to PS1 script as well as any parameters you want to pass

c:\acme>REM Spaces are not supported in script path

c:\acme>REM Also, in testing, powershell script must use positional parameters. Results may vary

c:\acme>REM Ex. “./Scripts/PSScript.bat c:\scripts\test.ps1 value”

c:\acme>powershell.exe -ExecutionPolicy RemoteSigned -File ./Scripts/ImportExchange.ps1 9AFF34130845B597CDF02CA3E3A0AB7494F7B8F7 IIS,SMTP,IMAP 1
Error: File C:\acme\Scripts\ImportExchange.ps1 cannot be loaded. The file C:\acme\Scripts\ImportExchange.ps1 is not digitally
Error: signed. You cannot run this script on the current system. For more information about running scripts and setting
Error: execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
Error: + CategoryInfo : SecurityError: (:slight_smile: [], ParentContainsErrorRecordException
Error: + FullyQualifiedErrorId : UnauthorizedAccess

[WARN] Script finished with ExitCode 1
[INFO] Renewal for mail.domain.com succeeded
[INFO] Next renewal scheduled at 2018/6/7 18:58:25 PM

Any ideas? Please help :slight_smile:

Cheers,
PongleTheDay


#2

Looks like the issue with Powershell not allowing you to run unsigned scripts from the internet. You’ll either need to unblock the file (so it’s treated as a local script instead of an internet-downloaded one), sign the script, or set the execution policy on your server to unrestricted (that last one is dangerous.)

This is probably your best bet:


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.