Installing a Let's Encrypt Certificate on Exchange 2019 server

I am in the process of installing a Let's Certificate on Exchange 2019 server. Do I have to open port 80 for traffic to the Exchange server and isn't this a security issue?

Hi @sdaan, and welcome to the LE community forum :slight_smile:

It is as much a security issue as any other access to your server.
How are you going to use that cert?
Are you going to allow the Internet to connect to your server via HTTPS?
If so, then that is as big (or greater in some cases) a risk as allowing HTTP to your server.
That said, this is not a security forum - such questions should be asked/answered elsewhere.
We are here to help you get a cert.
To that end, you can do it via HTTP authentication OR via DNS authentication.
HTTP method is much simpler to automate than the DNS method.
If you choose to use HTTP authentication, there are several good native Windows ACME clients that can make that a simple process - provided the Internet can reach your servers' HTTP port.
If you choose to use DNS authentication, you must ensure the Windows ACME client used supports your DSP or you may not be able to automate the renewal process.

3 Likes

It totally depends on the client/authentication method that you are using.

For example, if you are using the ACMEExchange client (which is designed specifically for Exchange servers), then you need to open port 80 as it is deploying the HTTP-01 challenge type.

It is secure, as access to port 80 is allowed strictly to the .wellknown directory, which is created during the certificate request, and deleted immediately after the authorization completes. There is no security issue in this case.

1 Like

Thanks tdebrecini. I'll give the ACMEExchange client a try.

1 Like

@sdaan I'd also consider other ACME clients for Windows if I were you. Might all be legit, but a blog post with a shady ACME client without its own website (can't find anything) recommended by someone who just registered, would be rather low in the amount of trust I'd give it. (Personally I'd test my computer severely with malware-scanners after I'd used it by accident to be honest.)

You can find lots of Windows ACME clients on the client options page:

There's much experience here with CertifyTheWeb and PoshACME. Also with some other clients like win-acme, but note that experience here is mainly with Linux and less with Windows.

3 Likes

The benefit of other ACME clients is that they generally support DNS validation, which will depend on who your domain DNS is hosted with as to whether there is a supported API.

I don't think I've heard of ACMEExchange before but it looks like a reasonable little utility netometer have built for their own exchange server use. It seems to be somewhat derived from old ACMESharp powershell stuff (judging by it's "vault" file structure) so it has probably existed for a while, if not always publicly. It's using dotnet 3.1 circa 2019 but the app is recently compiled so it looks maintained.

2 Likes

Thanks @tdebrecini

Just to provide an update - the ACMEExchange client worked for me.

Yes @webprofusion , it's pretty simple but does everything I needed - installs, enables, and renews the Exchange certificates.
PS: It's not a virus @Osiris (checked it) - BTW these guys have been around with their site for more than 15 years :slight_smile:

3 Likes

I am glad that it worked fine for you @sdaan .

Yes, we've built it to simplify the process of installing and renewing Let's Encrypt certificates in Exchange servers.

BTW, the next version will add support for the install/renewal of LE certs on multiple Exchange servers behind a load balancer. Again, no external scripts or anything complicated will be involved (the email report and the log will still be emailed to the admin contact).

@NetoMeter
Any update on the ACMEExchange client support for Exchange Servers behing a load balancer?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.