Unable to generate and install SSL certificate for exchange server 2019

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rahulpc.com
Exchange server 2019 name- adpc

I ran this command: wacs.exe --target manual --host rahulpc.com,mail.rahulpc.com,autodiscover.rahulpc.com --certificatestore My --acl-fullcontrol “network service,administrators” --installation iis,script --installationsiteid 1 --script “./Scripts/ImportExchange.ps1” --scriptparameters “‘{CertThumbprint}’ ‘IIS,SMTP,IMAP’ 1 ‘{CacheFile}’ ‘{CachePassword}’ ‘{CertFriendlyName}'”

It produced this output: [mail.rahulpc.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"150.129.182.142: Invalid response from http://mail.rahulpc.com/.well-known/acme-challenge/CxgInZrHxBef43Oj0_y-iT89wjDFKdBRd8q4oat_--M: 500","status":403,"instance":null}
[mail.rahulpc.com] Deactivating pending authorization
[rahulpc.com] Deactivating pending authorization
Create certificate failed

I am trying to generate the SSL certificate for exchange server 2019 for test lab environment. I tried to use the DNS/TXT record verification method and for some reason it is not detecting the TXT verification record that I have created on Godaddy. I also use the above command and it generated the error- Invalid response from http://mail.rahulpc.com/.well-known/acme-challenge/CxgInZrHxBef43Oj0_y-iT89wjDFKdBRd8q4oat_--M: 500","status":403,"instance":null}

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: Godaddy

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

Capture12996×292 9.99 KB

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I have not used certbot

When I used winacme to generate certificate using DNS txt verification, it gave the error unable to find the txt record.

Capture 1701×146 3.79 KB

HTTP validation works by presenting a specific http response, win-acme will try to do that either in standone mode (present an http listener) or by cooperating with your webserver (IIS is the expected webserver). Your webserver on mail.rahulpc.com is not IIS and I suspect it's some kind of java based server - that's one returning the HTTP 500 error. That server will be taking up port 80 so other windows can't use it so to get http challenges you'd have to serve them via that.

For DNS validation, that works by presenting an _acme-challenge TXT record for each domain you want to include, e.g. _acme-challenge.mail.rahulpc.com - GoDaddy limits automation to customers with 10 or more domains so if you don't qualify then you're stuck with manual DNS updates unless you change your DNS provider or use acme-dns etc

I can currently see _acme-challenge.mail.rahulpc.com in DNS, so it looks like you just needed to wait longer (e.g. 1 minute) after updating your DNS before retrying the check.

Actually, I am running exchange server 2016, I tried the same configuration on exchange 2019 as well. I have cross-checked, port 80 and 443 are open. Mail delivery for the exchange server is working fine.
Rahulpc.com is the public domain I have and I tried to run winacme and used DNS verification method. It is not reading and verifying the txt record value that I have updated, although the record value are reflected when checking the same on whatsmydns. As suggested I changed my DNS to coudflare and tested it with https://my.interserver.net/ as well. Still no luck. Even after updating the correct acme txt record manually it keep on saying-"he correct record has not been found by the local resolver. Its likely validation attempt will fail or your DNS provider needs more time." I do not know what else I am missing or needs to be done.

The end goal is to generate the SSL certificate for exchange server 2019 with the following- rahulpc.com,mail.rahulpc.com and autodiscover.rahulpc.com.

Did you set it back after the test? Because Cloudflare is not your DNS provider right now

rahulpc.com.		172800	IN	NS	cdns1.interserver.net.
rahulpc.com.		172800	IN	NS	cdns2.interserver.net.
rahulpc.com.		172800	IN	NS	cdns3.interserver.net.

I don't see a TXT record at _acme-challenge.rahulpc.com right now. Should there still be one from your testing? See: https://unboundtest.com/m/TXT/_acme-challenge.rahulpc.com/IUAHSPMK which uses a DNS query method similar to Let's Encrypt

Have you tried not doing this pre-check before submitting the request to Let's Encrypt. I am not sure how you do that with wacs but many ACME Clients offer a way to bypass their own pre-check

@rahulpc If I try any http (TCP port 80) request against mail.rahulpc.com an java based server responds - that's why HTTP domain validation doesn't work for you.

curl -I http://mail.rahulpc.com/.well-known/acme-challenge/configcheck

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Content-Length: 130
Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly
Connection: close

Note the JSESSIONID

I realize you are trying to get Exchange to work, but something else is answering when the http validation is done from the public internet. If you are literally testing this from home then it would most likely be your router not forwarding http to the internal server and trying to respond itself.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.