Problems with Exchange 2013 DAG Cluster


#1

Hi there,
I’m using 2 Exchange 2013 servers in a DAG. The Servers are running with Windows Server 2012 R2 using the same url but different public and internal IP addresses. That may be the reason why they want to have different DNS records for acme-challenge of the cluster URL. How can I configure the DNS for two different servers?

Greetings, Thomas


#2

This sounds like a Microsoft question.
If Microsoft can provide a solution for any CA, then you should be able to use LE certs.


#3

Hello!
I used certificates of startssl till they were marked as bad. They worked very well. Okay I had to renew the manually but the had a valid time of 2 years.
I think the Problem is the verification process for the webserver. Two Servers with the same URL in the certificate calculate another verifiction string.
How should I deal with? Or you are Right that LE isn’t a possibility for my clustered webservers.

Greeting, Thomas


#4

Is there a problem with that? You can create multiple TXT records under _acme-challenge.example.org and as long as one of them matches what is requested, that’s okay.

Generally you will want to automate the setup of these records and renewal of the certificates using one of the available clients: https://letsencrypt.org/docs/client-options/#windows-iis . I am not sure if any of them would be suitable, depends how your DNS zone is hosted.

For example, if you use Windows DNS, Posh-ACME has support: https://github.com/rmbolger/Posh-ACME/blob/master/Posh-ACME/DnsPlugins/Windows-Readme.md


#5

Hello and thank your for the answer.
I’m using the “Certify The Web” client, which does a good Job.
As you wrote I tried to use the TXT records in the DNS. One Problem here is that I’m not able to edit These records directly - it’s done by a provider - and the other and for me bigger problem is what I try to explain:
One server need a TXT record " _acme-challenge.autodiscover.domain.com with the value: DRXIfKtmLBaxChFkhtZDHRJ31BKJIN7C_7lahPtRWR8 " and the other server wants " _acme-challenge.autodiscover.domain.com with the value: XQa1UvJO2zfceIYUfE4MVITOfscWGwi3w0RmqMFYqXo "

The requests should be the same and I think it would work. How ist this string calculated? Why its different?

Greetings!


#6

The string is different because (for whatever reason) the CA has given you separate challenges to complete. If you use two different Certify the Web clients, it’s because the ACME account is different.

But my previous point stands:

It is entirely valid to have BOTH values in DNS. Both servers will be happy in that case.

For example, a domain of mine:

$ dig +noall +answer _acme-challenge.plugindev.ga txt
_acme-challenge.plugindev.ga. 593 IN    TXT     "7S4ZVbhZ0NU86o1qK0xnEaInqHRy4pB7KZem1nQva2Q"
_acme-challenge.plugindev.ga. 593 IN    TXT     "SLqPIPKURLJYkWvm8Xl1tpJP3WKNMNfYKqC0cCxHAxo"

#7

Hello!

A great thank you _az. That was the Information I needed - I hope. I didn’t know that it’s okay to have two of the TXT records in the DNS. But it should be normal, I have two A records for my webserver name.
I’ll try this in 3 months, when the next renewal will be done. Then my Provider should create more TXT records.

I’ll will Reply then.
Thanks again and greetings,
Thomas