LE ACME-Exchange.ps1 Exchange 2016 Renewal issues


#1

Hi all & @NetoMeter

Have successfully implemented the ACME script https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server/ to change the self-signed certificate on our exchange 2016 to a LE cert and the certicate is showing fine and our email clients (browser, apps & mobile devices) accessing this fine even after the switch over was done between the certificates without having to reconfigure clients.

The problem I am having is when testing the task scheduler Part 4 the auto-renewal process does not populate a new certificate into exchange.

After attempting this a 3-4 times and doing it via Powershell in administrator mode, I am seeing errors about the directory/certificate missing during re-generation in the folder structure.
The specific error that PS throws up is “New-ACMEIdentifier : An item with the same key has already been added” followed by later on with “Submit-ACMEChallenge : challenge has not been decoded”.

The acme_$date.log files is been generated everytime the script is run over a period of days when I attempting this.
All the names have a valid registration status in the log…

From what I see, the .well-known folder been created into C:\inetpub\wwwroot.well-known - when I run the script and in IIS.

Where am I going wrong here?

[UPDATE] Have seen this post ACMESharp Submit-ACMECertificate Commandlet Failing and if I am understanding this correctly, the exisitng certicate is cached in the vault for 60days so will have to wait for this to expire or issue a new validation which am not sure how to edit this step to achive this with ACME…

Thanks


LE ACME-Exchange.ps1 Exchange 2016 Renewal issues (part 2)
Help With ACMESharp
#2

OK i think I understand what issue might be.
The “C:\ProgramData\ACMESharp\sysVault” is not been deleted, which I think should be deleted along the same time the .pfx Certificates & the .well-known are.

As I attempted this process too many times in one week I believe (5-6 times now) am getting “Submit-ACMECertificate : Error creating new cert :: too many certificates already issued for exact set of domains: auto”

If someone can advise if I am understanding this whole process correctly, happy to explain further any queries.

Thanks


#3

hi @aleon

Is there any reason why you are coming to this forum instead of the chat that NetoMeter points you to?

The challenge with some of these specific scripts is that the logic is best understood by those creating the scripts

Andrei


#4

Hi Andrei,

I saw other posts been replied on the forums from NetoMeter hence opening a new thread, apologies if done something wrong.

@ahaw021

I still have the valid question, and i think the right term is “rate limit” for how many times a new certificate request can be done to LE.
I have read 300/week? but this doesn’t to line up as I have only made around 5-10 request in the last week ?
Can you advise of the right figure here please.

Thanks


#5

hi @aleon

Not really just wondering :smiley:

Having a look at the script the challenge is believe is that you will be able to create new certificates but it doesn’t have logic for renewals

Using ACME-Sharp Library: https://github.com/ebekker/ACMESharp/wiki/Quick-Start

Good Guide: https://marc.durdin.net/2017/02/lets-encrypt-on-windows-redux/

FAQ (Cover Renewals): https://github.com/ebekker/ACMESharp/wiki/FAQ

How do I do renewals? Official support for renewals has not yet been implemented (i.e. via the renewal support of the underlying ACME protocol). However a workable kludge is to simply request a new certificate using the existing Validated Identifier (i.e. the same DNS name that you have already proven that you are the owner of). Once a DNS Identifier is verified, the verification is valid for a little over a year (after that time, you’ll need to re-verify your ownership). Simply, create a new Certificate Request and reference the same Identifier as before. See this issue for more details. Update: due to the recent changes in Authorization process - this kludge is no longer working (see few last comments on issue 167 ). Domain authorization expires after 60 day and default domain certificate expiration is 90 days.

I would suggest looking at letsencrypt-win-simple which is built on top of ACME-Sharp

Andrei


#6

hi @aleon

There is also a long explanation for the error you are seeing

Essentially you need to request a new challenge to pass

Andrei


#7

the rate limit documentation is here: https://letsencrypt.org/docs/rate-limits/

Andrei


#8

Thanks @ahaw021 I did read this page, but now after re-reading see this part which seems to be valid to me:

quote from: https://letsencrypt.org/docs/rate-limits/
"We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. "


#9

Aleon,

You should not delete the sysVault - that’s where your ACME account keys are.

Version 2 of the script is ready and fixes the renewal issues as well as the support for Exchange 2010. We are adding a wizard script, which simplifies checking status, generating the script with your data (of course, you can still do this manually as demonstrated in the video), schedules/checks/changes the renewal.

The wizard script is not complete yet, but if you are in a hurry, I can provide you with the updated v2 script via a PM.


#10

Andrei,

I am just curious - why would you recommend the letsencrypt-win-simple client for Exchange servers?

Don’t get me wrong - we’ve presented both clients; actually, the letsencrypt-win-simple first. Personally, I am familiar with the code of both clients, and I have my opinion. The principle that we stick to is not to tell clients which solution is better but to demonstrate both and let them choose/decide.

You seem to be pretty knowledgeable as far as LE certs are concerned, and it’s really important to me to see the logic behind your opinion. Have you tried these clients or at least, have you watched the video demos on our site?

The ACME Sharp video clearly demonstrates the configuration of the renewal task and the renewal. There is an issue, which affects some of the clients; it has been identified and fixed in v2 of the script. The delay is because we are bundling it with a wizard script which automates even further the process (exactly the creation of the renewal task in task scheduler) and adds sanity checks.

Regards,

Dean


#11

hi @NetoMeter

The recommendation was around the simplicity of getting SAN certificates and scheduling renewals.

I like the way you deal with the exchange components (e.g. identifying which exchange powershell module to use etc) and overall have to agree your script is more purpose built for exchange.

The commenting is good however if you don’t pay attention in certain areas (e.g. un-commenting the right number of SANs etc) then you can get in to trouble (I am sure you cover this in your video tutorials but I don’t have flash installed so can’t view them on your site)

Also - can I have a look at V2 of the script if possible?

Andrei


#12

Hi @NetoMeter & @ahaw021

Thanks for your continued support on this and yes I would like to receive v2 of the script please, thank you :slight_smile:

Keep up the good work!!!

P.S: forgot almost,… i really didnt delete sysvault folder, only renamed it to .old! Will put it back now and wait to v2 to try renewals asap…


#13

Hi Dean / @NetoMeter,

Just like to add to my last reply, not in a hurry and can wait till you guys bundled everything up together.

Thanks
A. Leon


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.