SSL Certificate

Hello Everyone,

I am running Exchange Server 2019 at home which is my lab for learning and testing. I am using 3rd party SSL Certificate from SSL2BUY (Comodo). This certificate will expire on 3rd May 2020. I am planning to try Let’s Encrypt and get the certificate for Exchange Server 2019.

My Question is - Can, I try Let’s Encrypt ACME v2.1.6.773 and request new certificate before 3rd May 2020? Currently, I will be using these names - mail.ramlan.ca, ramlan.ca, autodiscover.ramlan.ca during certificate request for services IMAP, POP, SMTP, IIS.

Other details - Domain ramlan.ca and it is with GoDaddy
All virtual directory have been created in Exchange Server 2019
All mail (In and Out) is working currently using 3rd Party SSL certificate

Appreciate your response.

Thanks

Ram

1 Like

Sure, why not? Let’s Encrypt is a free, as in: free beer, CA, so nothing is holding you back.

1 Like

So, I can try while, I still have a valid SSL certificate? Is it going to cause any issue or do, I need to wait for the current SSL to expire and then try Let’s Encrypt?

1 Like

Yes. Obviously testing needs to be done with the staging environment and on your testing environment. Not on your production server.

It should never be necessary to wait for a current certificate to expire. While Let’s Encrypt certificates are 90 days valid, Let’s Encrypt itself recommends to renew the certificate after 60 days.

1 Like

OK Osiris - I am going to try during the weekend. Will be following this site as install notes for Let’s Encrypt.

https://blog.ipswitch.com/install-free-lets-encrypt-ssl-san-certificate-for-exchange-2019?success=true

1 Like

I tried the program now - Getting these error. Firewall is turned Off.

DNS problem: SERVFAIL looking up A for autodiscover.ramlan.ca - the domain’s nameservers may be malfunctioning",
“status”: 400

Cached order available but not used with the --force switch.
Authorize identifier mail.ramlan.ca
Authorizing mail.ramlan.ca using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://mail.ramlan.ca/.well-known/acme-challenge/Cy0TU-zas7ReWFuTW3YdkE_X-T22-qHJ_xpj1_Nob8A: Timeout during connect (likely firewall problem)”,
“status”: 400

1 Like

It’s a recursive loop:

;; QUESTION SECTION:
;autodiscover.ramlan.ca.		IN	A

;; ANSWER SECTION:
autodiscover.ramlan.ca.	3600	IN	CNAME	autodiscover.ramlan.ca.

A CNAME can’t point to itself obviously.

1 Like

So, I should change DNS entry for autodiscover from A record to CNAME record? As of now I have 2 entry in DNS
mail - Host (A) record pointing to ip address
autodiscover - Host (A) record pointing to ip address

No, that’s how it’s set up now. Which is wrong.

Not from my point of view.

1 Like

I will try CNAME for autodiscover within DNS and see what happens.

No luck to get this working. Will have to go with 3rd Party certificate only. Too hard to find solution on the internet.

…or fix your DNS records, as you’ve already been told. Now there’s no records at all for autodiscover.ramlan.ca.

1 Like

What should be the normal DNS entry to get Let’s Encrypt work?

Within my lab environment there is one exchange server 2019 and the DNS entry are as follows:

ex2019.ramlan.ca - Host A record -> ip address 192.168.0.x
mail.ramlan.ca - Host A record -> ip address 192.168.0.x
autodiscover.ramlan.ca - Host A record -> 192.168.0.x

On GoDaddy - DNS entry are as follows:

A @ 99.229.198.199
A mail 99.229.198.199
CNAME autodiscover autodiscover.ramlan.ca


3

First, no, that record isn’t present, at least not when I check it from here. Second, what makes you think that’s an appropriate setting? You’re setting autodiscover as an alias of itself. Just a moment’s thought should tell you that’s the wrong answer. Either set it with its own A record to the same IP, or set it as a CNAME to the root domain. Either is fine; I don’t know that there’s a particular reason to favor one over the other.

1 Like

So for GoDaddy - I will change CNAME as follows:

A Autodiscover 99.229.198.199

1 Like

That should work, and it’s now showing up in public DNS.

1 Like

Thanks my friend for the help. I will try Let’s Encrypt after few hours - to give time for DNS to update the record

1 Like

Yes you are correct. Here is the result.
3

1 Like

I tried the program again - still not working. Firewall is turned off - Yet having problem getting the cert.
1

1 Like

Finally fixed all the issue and the certificate is issued successfully. Here is the SS

1 Like