Выпуск сертификата Let's Encrypt для Exchange

Всё просто: скачиваем клиент для запроса сертификата, следуем инструкциям, перенастраиваем сертификат на сервере. В статье используется проверка по записям TXT в DNS. Полное перечисление действий в клиенте:

PS C:\Users\aleks\win-acme> ls

Directory: C:\Users\aleks\win-acme

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 17.01.2021 13:03 Scripts
-a---- 26.11.2020 02:18 747912 clrcompression.dll
-a---- 26.11.2020 02:18 1324424 clrjit.dll
-a---- 26.11.2020 02:18 5157256 coreclr.dll
-a---- 26.11.2020 02:18 1047928 mscordaccore.dll
-a---- 10.01.2021 20:38 227037 public_suffix_list.dat
-a---- 10.01.2021 20:38 2262 settings.json
-a---- 10.01.2021 20:38 2262 settings_default.json
-a---- 10.01.2021 20:43 28 version.txt
-a---- 10.01.2021 20:43 32821336 wacs.exe
-a---- 10.01.2021 20:38 484 Web_Config.xml

PS C:\Users\aleks\win-acme> .\wacs.exe

A simple Windows ACMEv2 client (WACS)
Software version 2.1.14.996 (RELEASE, TRIMMED, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
IIS version 10.0
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: m

Running in mode: Interactive, Advanced
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read site bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Enter comma-separated list of host names, starting with the common name: ex01.exonix.ru,mail.exonix.ru

Target generated using plugin Manual: ex01.exonix.ru and 1 alternatives

Suggested friendly name '[Manual] ex01.exonix.ru', press <Enter> to accept or type an alternative: <Enter>

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 6

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: 2

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

How would you like to store the certificate?: 4

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

Would you like to store it in another way too?: 5

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?: 1

1: Default Web Site
2: Exchange Back End

Choose site to create new bindings: 1

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Add another installation step?: 4

Далее необходимо создавать и удалять TXT записи в DNS-зоне домена, например:

[ex01.exonix.ru] Authorizing...
[ex01.exonix.ru] Authorizing using dns-01 validation (Manual)
Domain: ex01.exonix.ru
Record: _acme-challenge.ex01.exonix.ru
Type: TXT
Content: "5rreKXbln0zXhXGzpY08HsnBQAIgtQZWIUZvmszFHjY"

Note: Some DNS managers add quotes automatically. A single set is needed.
Please press <Enter> after you've created and verified the record

[ex01.exonix.ru] Preliminary validation succeeded
[ex01.exonix.ru] Preliminary validation succeeded
[ex01.exonix.ru] Authorization result: valid

Domain: ex01.exonix.ru
Record: _acme-challenge.ex01.exonix.ru
Type: TXT
Content: "5rreKXbln0zXhXGzpY08HsnBQAIgtQZWIUZvmszFHjY"

Please press <Enter> after you've deleted the record

[mail.exonix.ru] Authorizing...
[mail.exonix.ru] Authorizing using dns-01 validation (Manual)
Domain: mail.exonix.ru
Record: _acme-challenge.mail.exonix.ru
Type: TXT
Content: "3RIfWvYqfQaw9dqJhvnHUmbS_quRBImiVHvM1l8cneg"

Note: Some DNS managers add quotes automatically. A single set is needed.
Please press <Enter> after you've created and verified the record

[mail.exonix.ru] Preliminary validation succeeded
[mail.exonix.ru] Preliminary validation succeeded
First chance error calling into ACME server, retrying with new nonce...
[mail.exonix.ru] Authorization result: valid

Domain: mail.exonix.ru
Record: _acme-challenge.mail.exonix.ru
Type: TXT
Content: "3RIfWvYqfQaw9dqJhvnHUmbS_quRBImiVHvM1l8cneg"

Please press <Enter> after you've deleted the record

Requesting certificate [Manual] ex01.exonix.ru
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] ex01.exonix.ru @ 2021.1.17 13:24:06 to store WebHosting
Installing with IIS...
Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
No bindings have been changed
Adding Task Scheduler entry with the following settings
- Name win-acme renew (acme-v02.api.letsencrypt.org)
- Path C:\Users\aleks\win-acme
- Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
- Start at 09:00:00
- Random delay 02:00:00
- Time limit 02:00:00
Do you want to specify the user the task will run as? (y/n*) - no

Adding renewal for [Manual] ex01.exonix.ru
Next renewal scheduled at 2021.3.13 13:12:53
Certificate [Manual] ex01.exonix.ru created

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit

Please choose from the menu: q

Как видно из последних строк, привязки веб-сайтов не были изменены. Поэтому, нам придётся сделать кое-что руками, а именно - поправить привязки веб-сайтов; скопировать сертификат в правильное зранилище, чтобы он появился в панеле управления Exchange; и назначить сертификат службам Exchange. Исправляем привязки (оснастка IIS открывается с контроллера домена, если Exchange установлен на Windows Server Core):

Копируем сертификат из хранилища WebHosting в Personal:

get-ChildItem -Path cert:\LocalMachine\Webhosting
get-ChildItem -Path cert:\LocalMachine\my

$srcStoreScope = "LocalMachine"
$srcStoreName = "Webhosting"
$srcStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $srcStoreName, $srcStoreScope
$srcStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $srcStore.certificates -match "ex01.exonix.ru"
$dstStoreScope = "LocalMachine"
$dstStoreName = "my"
$dstStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $dstStoreName, $dstStoreScope
$dstStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$dstStore.Add($cert[0])
$srcStore.Close
$dstStore.Close

get-ChildItem -Path cert:\LocalMachine\my

После этого сертификат появится в панели администрирования Exchange, где мы назначаем его необходимым службам и перезагружаем сервер:

17.01.2021