Renewal of Exchange SAN certifcate with multiple CAS servers behind hardware LoadBalancer


#1

Hi All,

I have tested the SAN certificate, it is working great with our environment.

But i am facing issue with renewal and using the script with multiple CAS servers on two sites behind same common name. Our Exchange CAS servers are load balanced on KEMP hardware LB. When I run the ACME-Exchange.ps1 script , so sometime it validate all SAN names , and sometime it failed to validate. After some troubleshooting I found that during domain validation it is hitting the other CAS on which script is not running. So I disable the other virtual server (CAS) on LB , and domains were successfully validated. So I was thinking that we cannot automate the certificate renewal in this way, because every time I have to disable the other virtual servers on KEMP.

Anyone else is using the same script for multiple CAS servers behind Load balancer with same common name ???

Our environment is that we have two sites , with same common name :

CN: mail.pern.edu.pk

DNS records:
Mail.pern.edu.pk : Site1_PulbicIP_VIP-LB
Site2_PublicIP_VIP-LB

Other entries:
owa.pern.edu.pk : (Site1_PulbicIP_VIP-LB & Site2_PublicIP_VIP-LB)
Autodiscover.pern.edu.pk


#2

Can you set up your load balancer to proxy the path “/.well-known/acme-challenge/” only to your script-executing CAS?

If not I’d try something like this:

  1. Share the “.well-known”-folder of IIS on your main CAS. It’s apparently created by your script and removed after execution so you’d have to create it manually and comment the line in your script which removes the folder.
  2. Map the shared folder to a local folder inside the wwwroot of each other CAS:

mklink /d c:\inetpub\wwwroot\.well-known \\cas01.example.com\well-known

This way each of your CAS will be able to satisfy the challenge.


#3

Hi @localhorst ,

Thanks for the reply. I also received almost same reply from netometer support.

“You can preconfigure the “.well-known” directory on a share accessible by both CAS and comment the line at the bottom that deletes the .well-known dir when the cert is installed. That way it won’t matter which CAS receives the requests - all that matters is that the unique subfolder and file is created.”

I followed the same steps:

  1. On CAS01 Manually create the “.well-known” folder in “c:\inetpub\wwwroot” and then enable sharing on it.
  2. Comment the line in script which removes the folder.
  3. Go to CAS02, And run the mapping command:

Please also confirm that after this procedure , Do i have to run ACME-Exchange.ps1 script on each server for separate certifcate ? Or i have to export the certificate from first CAS server and manually import on other CAS servers?


#4

Waqasahmed,

The simplest and easiest approach would be to:

  1. Dedicate just one of the CAS servers for the certificate requests, validation, and installation - configure traffic on port 80 on the LB to go to just that server.
  2. Run the Import-ExchangeCertificate on the dedicated server for each additional CAS behind the Load Balancer - just add the line with the “-Server” option in the script as well, like this:

Import-ExchangeCertificate -Server Other_CAS_Behind_LB -FileName $SAN_pfxfile -FriendlyName $SANcert_alias | Enable-ExchangeCertificate -Services “SMTP, IMAP, POP, IIS” -force

That way, when the certificate is issued and converted to PFX file, it will be installed on all CAS servers. If there are many people getting stuck with this scenario, we’ll publish a video for it as well, but that’s a pretty straight forward approach.

Regards,

Dean


#5

Hi Dean,

Thanks for the reply.

How i can dedicate just one of the CAS servers for the certificate requests, validation, and installation.

Currently there is one exchange load balancing rule on LB : In which LB VIP IP is balancing three CAS servers for port 443:

The SAN entries were successfully validated and certificate was generated and applied on both CAS servers. But on second CAS server the certificate was only enabled for “IMAP, & POP” services. Dont know why it did not applied to IIS and SMTP service , as it was also in the command.

Also the IIS service for second CAS server was not restarted after script ends.

Regards,


#6

Ah,

I see where the issue is - you need to use the “-Server” parameter with the “Enable-ExchangeCertificate” commandlet as well - that way, after installing remotely the certificate on the other CAS servers, you will enable it remotely as well, and the whole process will be fully automated:

Import-ExchangeCertificate -Server Other_CAS02_Behind_LB -FileName $SAN_pfxfile -FriendlyName $SANcert_alias | Enable-ExchangeCertificate -Server Other_CAS02_Behind_LB -Services “SMTP, IMAP, POP, IIS” -force

Regards,

Dean


#7

Hi Natometer,

As explained we have common name for two sites : mail.pern.edu.pk, which is mapped to two sites IPs in Public DNS.

Now when i run the script , the DNS name : mail.pern.edu.pk does not validate . And i think it is happening because the script is running on one CAS and the DNS is hitting other site CAS. :slight_smile:

So the same issue is also in DNS load balancing for two sites common name.

Regards,


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.