I am running Exchange Server 2019 at home which is my lab for learning and testing. I am using 3rd party SSL Certificate from SSL2BUY (Comodo). This certificate will expire on 3rd May 2020. I am planning to try Let’s Encrypt and get the certificate for Exchange Server 2019.
My Question is - Can, I try Let’s Encrypt ACME v2.1.6.773 and request new certificate before 3rd May 2020? Currently, I will be using these names - mail.ramlan.ca, ramlan.ca, autodiscover.ramlan.ca during certificate request for services IMAP, POP, SMTP, IIS.
Other details - Domain ramlan.ca and it is with GoDaddy
All virtual directory have been created in Exchange Server 2019
All mail (In and Out) is working currently using 3rd Party SSL certificate
So, I can try while, I still have a valid SSL certificate? Is it going to cause any issue or do, I need to wait for the current SSL to expire and then try Let’s Encrypt?
Yes. Obviously testing needs to be done with the staging environment and on your testing environment. Not on your production server.
It should never be necessary to wait for a current certificate to expire. While Let's Encrypt certificates are 90 days valid, Let's Encrypt itself recommends to renew the certificate after 60 days.
I tried the program now - Getting these error. Firewall is turned Off.
DNS problem: SERVFAIL looking up A for autodiscover.ramlan.ca - the domain’s nameservers may be malfunctioning",
“status”: 400
Cached order available but not used with the --force switch.
Authorize identifier mail.ramlan.ca
Authorizing mail.ramlan.ca using http-01 validation (SelfHosting)
{
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://mail.ramlan.ca/.well-known/acme-challenge/Cy0TU-zas7ReWFuTW3YdkE_X-T22-qHJ_xpj1_Nob8A: Timeout during connect (likely firewall problem)”,
“status”: 400
So, I should change DNS entry for autodiscover from A record to CNAME record? As of now I have 2 entry in DNS
mail - Host (A) record pointing to ip address
autodiscover - Host (A) record pointing to ip address
What should be the normal DNS entry to get Let’s Encrypt work?
Within my lab environment there is one exchange server 2019 and the DNS entry are as follows:
ex2019.ramlan.ca - Host A record -> ip address 192.168.0.x
mail.ramlan.ca - Host A record -> ip address 192.168.0.x
autodiscover.ramlan.ca - Host A record -> 192.168.0.x
On GoDaddy - DNS entry are as follows:
A @ 99.229.198.199
A mail 99.229.198.199
CNAME autodiscover autodiscover.ramlan.ca
First, no, that record isn't present, at least not when I check it from here. Second, what makes you think that's an appropriate setting? You're setting autodiscover as an alias of itself. Just a moment's thought should tell you that's the wrong answer. Either set it with its own A record to the same IP, or set it as a CNAME to the root domain. Either is fine; I don't know that there's a particular reason to favor one over the other.
