A) If you are going to use letsencrypt it is definitely a good idea to have the letsencrypt intermediate certificates on all servers and workstations in the domain (so it is trusted)
B) Deploying signed RDP files is also a good idea
C) Usually for these kinds of problem I would be running and internal ca (which AD will automatically distribute certificates for) however the requirement was for letsencryt with RDP
D) From my testing RDP seems to include the Intermediate certificate (i deleted the LetsEncrypt intermediate form the intermediate store)
I briefly looked through the links you posted and it looks very interesting. If I understand this correctly, the ACMESharp is able to generate dns-01 challenges, but you’d need either to update your zone manually or using APIs from your DNS provider, is that right? (unless you’re running a public-facing DNS of course, which we’re not).
In this case, it would be interesting for me to implement the connector for my DNS provider in PowerShell, so that I could set it up on a local server in my local network to automatically perform renews based on the public facing DNS.
@mcdado: Yes, that’s right. You’ll need to add/change the TXT record in the public facing DNS server. I did this manually before and I am looking for an automated solution right now. My current DNS provider doesn’t provide an API for manipulating records. One could use PowerShell and IE - Using IE Automation in PowerShell to Simplify Browser Based Tasks - or Curl - Using Curl in Powershell - or the Perl module WWW::Mechanize::Shell to automate this task but this would be error prone with every web site change from the DNS provider.