Skip to content

Configuring ACME LetsEncrypt Bot

Purpose: If you want to set up automatic Let's Encrypt SSL certificates on a Microsoft Exchange server, you have to go through a few steps to install the WinACME bot, and configure it to automatically renew certificates.

ACME Bot Provisioning Considerations

This document assumes you want a fully-automated one-liner command for configuring the ACME Bot, it is also completely valid to go step-by-step through the bot to configure the SSL certificate, the IIS server, etc, and it will automatically create a Scheduled Task to renew on its own. The whole process is very straight-forward with most answers being the default option.

Download the Win-ACME Bot:

  • Log into the on-premise Exchange Server via Datto RMM
  • Navigate to: https://www.win-acme.com/
    • On the top-right of the website, you will see a "Download" button with the most recent version of the Win-ACME bot
  • Extract the contents of the ZIP file to "C:\Program Files (x86)\Lets Encrypt"
    • Make the "Lets Encrypt" folder if it does not already exist

Configure settings_default.json:

  • The next step involves us making a modification to the configuration of the Win-ACME bot that allows us to export the necessary private key data for Exchange
  • Using a text editor, open the "settings_default.json" file
    • Look for the setting called "PrivateKeyExportable" and change the value from "false" to "true"
    • Save and close the file

Download and Install the SSL Certificate:

  • Open an administrative Command Line (DO NOT USE POWERSHELL)
  • Navigate to the Let's Encrypt bot directory: CD "C:\Program Files (x86)\Lets Encrypt"

  • Invoke the bot to automatically download and install the certificate into the IIS Server that Exchange uses to host the Exchange Server

    • Be sure to change the placeholder subdomains to match the domain of the actual Exchange Server
      • (e.g. "mail.example.org" | "autodiscover.example.org") 
        wacs.exe --target manual --host mail.example.org,autodiscover.example.org --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose

  • When the command is running, it will ask for an email address for alerts and abuse notifications, just put "[email protected]" as the email address

  • If you run into any unexpected errors that result in anything other than exiting with a status "0", consult with Michael Levesque or Nicole Rappe to proceed
    • Check that the domain of the Exchange Server is reachable on port 80 as Let's Encrypt uses this to build the cert.
    • Searching the external IP of the server on Shodan will reveal all open ports.

Troubleshooting:

If you find that any of the services such as https://mail.example.org/ecp, https://autodiscover.example.org, or https://mail.example.org/owa do not let you log in, proceed with the steps below to correct the "Certificate Binding" in IIS Manager:

  • Open "Server Manager" > Tools > "Internet Information Services (IIS) Manager"
  • Expand the "Connections" server tree on the left-hand side of the IIS Manager
  • Expand the "Sites" folder
    • Click on "Default Web Site"
      • On the right-hand Actions menu, click on "Bindings..."
      • A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
        • Type: https
        • Host Name: autodiscover.example.org
        • Port: 443
          • Double-click on the row, or click one then click the "Edit" button to open the settings for that endpoint
          • Under "SSL Certificate" > Make sure the certificate name matches the following format: "[Manual] autodiscover.example.org @ YYYY/MM/DD"
          • If it does not match the above, use the dropdown menu to correct it and click the "OK" button
        • Type: https
        • Host Name: mail.example.org
        • Port: 443
          • Repeat the steps seen above, except this time for "mail.example.org"
    • Click on "Exchange Back End"
      • On the right-hand Actions menu, click on "Bindings..."
      • A table will appear with different endpoints on the Exchange server > What you are looking for is an entry that looks like the following:
        • Type: https
        • Host Name:
        • Port: 444
          • Repeat the steps seen above, ensuring that the "[Manual] autodiscover.example.org @ YYYY/MM/DD" certificate is selected and applied
          • Click the "OK" button
    • On the left-hand menu under "Connections" in IIS Manager, click on the server name itself
      • (e.g. "EXAMPLE-EXCHANGE (DOMAIN\dptadmin")
      • On the right-hand "Actions" menu > Under "Manage Server" > Select "Restart"
      • Wait for the IIS server to restart itself, then try accessing the webpages for Exchange that were exhibiting issues logging in

Additional Documentation: