Here is an update:
We've tested three Let's Encrypt Windows clients - on Windows Server (IIS) running 2008R2, 2012R2, 2016, and on Exchange 2013/2016 Server 2012R2:
Letsencrypt-win-simple - IIS and Exchange server (successfully)
ACME-posh - IIS and Exchange server (successfully)
Certify for Windows (not good)
Here are the details:
Letsencrypt-win-simple - we've built version 22.214.171.124 from source and tested it on Windows Server (IIS) running 2008R2, 2012R2, 2016. Works flowlessly - both new cert requests and cert renewals. We've published a detailed video and the build that we've used here:
We've encountered the following "issues":
- The sites that you request a certificate for need to have a FQDN in their http bindings; otherwise, they are not listed and you need to use manual mode, which works fine.
- You can request and get a SAN (multi domain certs), but that also requires manual mode.
- Installing a SAN certificate in Exchange also works, but it's a pain - requires manual mode and a lot of adjustments. BTW, the Exchange 2016 instructions on the Letsencrypt-win-simple WIKI are not correct - you need to use the Enable-ExchangeCertificate commandlet and assign the new Let's Encrypt SAN cert to all services (IMAP,POP,SMTP, and IIS), not just the Default Web Site. That's not possible until you move the generated and installed SAN cert to the Local Machine/Personal store. Bottom line, at that point, the Letsencrypt-win-simple is not suitable for automatic Exchange SAN certs requests and renewals unless you are fine with performing this manually, which defeats the purpose of the ACME protocol - automating the whole procedure, while providing better security.
2.ACME-posh v0.8.1 is the client that 's suitable for Exchange SAN certificates - works just fine and is suitable for fully automating the cert issuance and renewals - our step-by-step video is almost ready.
One issue that we've encountered is that the IISChallengeHandler was failing on Server 2012R2 and Server 2016 - it's running fine on Server 2008R2. It turned out the issue is related to the config file that's generated in the directory where the challenge file is created. After we've modified the config file and recompiled, the client works perfectly. We'll publish the compiled build and the script we used with the video, as well as the changes that we've had to make.
3.Certify for Windows - big disappointment - doesn't work and it seems the project is abandoned; no updates since March, 2016.