Letsencrypt-win-simple with win-acme.v1.9.12.2



I am trying to set up an exchange Server 2019 on Platform server 2019 with an letsencrypt certificate.
Got the host on the same Full qualified hostname “email.4-s.cloud” the same on inside and outside, IPv6 configured and reachable, IPv4 offcourse through NAT only on poort 80 & 443

I am trying to figger out if this https://mediarealm.com.au/articles/lets-encrypt-microsoft-exchange-installation/ procedure is working for me, but can’t seem to figger out what is going wrong?

after setting the hostname in the bindings of the default website in IIS manager i still get the error “No DNS identifiers found” however when i ping on name i get the proper respons as wel in my internal network as on the outside

Can anybody point out to me how to debug the error about the DNS, or even better get me a procedure with letsencrypt for windows server 2019 and exchange service that is complete:)

Kind Regards


Hi @Gerards

both addresses, the ipv6 fe80: and the ipv4 192.168. are only private ip addresses.

Letsencrypt requires public visible ip addresses and a public visible domain name.



your (worldwid unique) domain name?


So what you are saying is i should point my dns to Google public DNS? voor both ipv4 & 6?

Yes 4-s.cloud is registered to my name so i could setup this domain easily:)

Kind Regards


Changing my dns to a certificate is being created.
Will continue with the procedure!!!


If this is the solution, then you had an isolated server, so the server couldn’t communicate with Letsencrypt.

And yep, I see (testet too late :wink: )

	email.4-s.cloud - 1 entry

a new Letsencrypt certificate.

But it’s curious you can create a certificate. Because 4-s.cloud has an incomplete DNSSEC configuration.

Fatal error: DNSKEY 19465 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

from my own tool, same with https://dnssec-analyzer.verisignlabs.com/email.4-s.cloud


My original plan was to have the communication via ipv6 (i had public ipv6 dns in mij config). but i’m not sure what happend now.
After i changed to i got my certificate, but my OWA website broke, so i set the dns backup to my internal server that host the “windows domain” (Active directory etc).
This fixed my exchange OWS website,
I ran letsencrypt again to replace the certificate with a new one (just to see if it would) AND it did, so despite the fact i am using my internal DNS (which is actualy pointing to for all other but local resolving)

Are you saying i should allso get my DSNSec properly configured??

Kind Regards


I don’t understand the CN=email.4-s.cloud part.
Didn’t it resolve properly for you? ( i thought i’d made all the DNS records…?)

Kind Regards


the config of my DNS provider give’s me this info

Looks like DNSSEC is there?? isn’t it?
Could it be that my DNSSEC certificate is not reconfignized as proper supported one (just like many https cert’s aren’t recogonize by some browsers??)

Kind Regards


This is only a part of the output of my online tool https://check-your-website.server-daten.de/?q=email.4-s.cloud

There I saw you have created a new certificate.

You have a DNSKEY in your zone. But you don’t have a DS record in your parent zone.

Zone (*) DNSSEC - Informations (beta)
4-s.cloud 0 DS RR in the parent zone found
DS-Query in the parent zone has a valide NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.
3 DNSKEY RR found
Public Key with Algorithm 8, KeyTag 1833, Flags 256
Public Key with Algorithm 8, KeyTag 12939, Flags 256
Public Key with Algorithm 8, KeyTag 19465, Flags 257 (SEP = Secure Entry Point)
1 RRSIG RR to validate DNSKEY RR found
• Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 24.01.2019, 00:00:00, Signature-Inception: 03.01.2019, 00:00:00, KeyTag 19465, Signer-Name: 4-s.cloud
• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 19465 used to validate the DNSKEY RRSet
Fatal error: DNSKEY 19465 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

Instead, your parent zone has a NSEC3 RR which confirms the non-existence of the DS RR.

So your chain of trust doesn’t exist. The parent zone confirms, that your zone is not secure.

A correct configured DNSSEC needs both: A DS record in the parent zone pointing to a DNSKEY RR. And a set of DNSKEY RR with a RRSIG signing this set. The DS part is missing.


OK. Tnx for the info Juergen!

I requested my provider (openprovider.eu) on info how to “glue” a DSrecord to my domain. If anybody out there has clue how i can do that. It would be very much appriciated if you told me:)

Kind Regards



I am wondering if the scheduled task of the ACME Tools is realy scheduled in my windows enviromet, and if it runs completely selfsupporting.
e.g. if it can be found in the scheduled task manager, i would be happy, but i can’t find it there

Kind Regards


I believe it runs it own “scheduler”.


Then i takes up CPu and i should be able to find a process.
Do you perhaps know what the name of the process is ?

Kind Regards


Sadly, I don’t know it.
I don’t use LEWS.

closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.