在 Exchange Server 中安装免费的 Let's Encrypt 证书

如何在 Exchange Server 中安装免费的 Let’s Encrypt 证书？配置内部和外部 DNS 后，我们想在 Exchange Server 中安装证书。 Let’s Encrypt 是什么？为什么它是免费的？阅读本文，了解有关在 Exchange Server 中配置 Let's Encrypt 证书的更多信息。

什么是让我们加密？

Let’s Encrypt 是一种使用 HTTPS 和 SSL 证书来保护 Web 服务器安全的免费方法。它确保服务器和客户端之间的安全加密数据传输和连接。 Let’s Encrypt 不收取证书费用。 Let’s Encrypt 是一家非营利组织，其使命是创建一个更安全、更尊重隐私的网络。他们通过促进 HTTPS 的广泛采用来实现这一目标。这些服务免费且易于使用，因此每个人都可以部署 HTTPS。

Exchange Server 证书不受信任

安装新的 Exchange Server 时，客户端连接未安全安装。这是默认的。我们将登录 Outlook Web Access (OWA) 以查看其显示情况。

在 Firefox 中，它显示警告：前方存在潜在安全风险。单击高级...，然后继续查看 OWA 登录页面。

Exchange Server OWA 正在运行，但并不安全。挂锁图标显示警告。如果我们单击地址栏中的挂锁，我们可以看到连接不安全。

所有其他浏览器也会发生同样的情况。例如，Internet Explorer 显示红色地址栏。当点击工具栏中的证书时，显示该证书是不匹配的地址。 Exchange Server 连接不安全。

我们了解了 Let’s Encrypt，并且发现 Exchange Server 连接并不安全。在下一部分中，我们将准备应用程序来配置证书。之后，我们将请求免费的 Let’s Encrypt 证书。

准备 Let’s Encrypt Win-ACME 客户端

有第三方提供的 ACME 客户端列表可供使用。我们将使用 Windows ACME Simple (WACS)。适用于 Windows 的简单 ACME 客户端 - 与 Let’s Encrypt 一起使用。它会自动更新您的证书，因此在安装和配置它之后，您将拥有一个持续安全的 Web 服务器。

从 GitHub 或官方网站下载 Win-ACME。在撰写本文时，该文件是 win-acme.v2.1.22.1260.x64.pluggable。在 C:\Program Files 中创建名为 Lets Encrypt 的文件夹。将 .zip 中的文件解压到文件夹 C:\Program Files\Lets Encrypt。

您可以从交互式菜单或无人值守模式（命令行）使用 Win-ACME。使用命令行，您不必跳过菜单。两者都会起作用，并且学习这两种方法是有好处的。

让我们加密证书私钥

最好在从 Let’s Encrypt 颁发并下载证书后将其导出。这意味着您必须导入证书的私钥才能导出证书。有两种方法可以做到这一点。

自动导入证书私钥

在向 Let’s Encrypt 请求证书之前调整 settings_default.json。这将自动将证书的私钥导入到证书中：

1. 启动文件资源管理器
2. 转到路径C:\Program Files\Lets Encrypt
3. 使用记事本打开 settings_default.json
4. 将 PrivateKeyExportable 设置为 true
5. 保存文件

注意：启动 Win-ACME 后，settings_default.json 文件及其设置将被复制到 settings.json。如果您已经启动了 Win-ACME，您将在文件夹中看到 settings.json。编辑 settings.json 中的值。

手动导入证书私钥

在向 Let’s Encrypt 请求证书后获取私钥。您将输入证书的私钥并将其导入到证书中。有关更多信息，请参阅在 Windows Server 中导出 Let’s Encrypt 证书一文。

在 Exchange Server 中安装 Let’s Encrypt 证书

下载并解压文件后，我们将配置 Let's Encrypt 证书。我们将在接下来的步骤中显示交互式菜单和命令行。

使用交互式菜单安装 Let’s Encrypt 证书

右键单击应用程序wacs。单击以管理员身份运行启动应用程序。

将显示 Win-ACME 客户端窗口。键入 M 创建续订证书（完整选项），然后按 Enter。

 A simple Windows ACMEv2 client (WACS)
 Software version 2.1.22.1260 (release, pluggable, standalone, 64-bit)
 Connecting to https://acme-v02.api.letsencrypt.org/...
 Scheduled task not configured yet
 Please report issues at https://github.com/win-acme/win-acme

 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: M

输入2进行手动输入，然后按Enter。

 Running in mode: Interactive, Advanced

 Please specify how the list of domain names that will be included in the
 certificate should be determined. If you choose for one of the "all bindings"
 options, the list will automatically be updated for future renewals to
 reflect the bindings at that time.

 1: Read bindings from IIS
 2: Manual input
 3: CSR created by another program
 C: Abort

 How shall we determine the domain(s) to include in the certificate?: 2

输入以逗号分隔的主机名列表。查看您的 Exchange 主机名并填写它们。您是否正确配置了 Exchange Server 主机名？不应有内部名称，例如 EX01-2016。

请参阅 Exchange 命名空间设计和规划一文。我建议为内部 DNS 和外部 DNS 保留相同的命名空间。

将下载主机名添加到主机，下载 Let’s Encrypt 证书并将其绑定到 Exchange Server 后，请阅读文章配置下载域以解决 CVE-2021-1730 漏洞。

在我的示例中，我将使用主机：

• mail.exoip.com
• autodiscover.exoip.com
• download.mail.exoip.com

之后，按Enter。

 Description:        A host name to get a certificate for. This may be a
                     comma-separated list.

 Host: mail.exoip.com,autodiscover.exoip.com,download.mail.exoip.com

我们不会为建议的友好名称输入任何内容。按Enter继续。

 Source generated using plugin Manual: mail.exoip.com and 1 alternatives

 Friendly name '[Manual] mail.exoip.com'. <Enter> to accept or type desired name: <Enter>

Let’s Encrypt ACME 客户端将通过防火墙与端口 80 上的 Let’s Encrypt 连接以请求证书。如果您没有启用端口 80，请在继续之前执行此操作。了解有关 Exchange 中客户端和邮件流的网络端口的详细信息。

我们不必在 Exchange Server 上启用端口 80。我们可以使用端口 443，即选项 9 - TLS-ALPN-01。为了正确处理挑战，我们不能通过 HTTP 堆栈。我们需要对端口 443 进行直接控制（独占访问），这意味着需要关闭 IIS 才能正常工作。

您不希望在请求或更新 Exchange 证书时关闭 IIS。这就是为什么我们在防火墙中启用端口 80 并选择选项2。

 The ACME server will need to verify that you are the owner of the domain
 names that you are requesting the certificate for. This happens both during
 initial setup *and* for every future renewal. There are two main methods of
 doing so: answering specific http requests (http-01) or create specific dns
 records (dns-01). For wildcard domains the latter is the only option. Various
 additional plugins are available from https://github.com/win-acme/win-acme/.

 1: [http-01] Save verification files on (network) path
 2: [http-01] Serve verification files from memory
 3: [http-01] Upload verification files via FTP(S)
 4: [http-01] Upload verification files via SSH-FTP
 5: [http-01] Upload verification files via WebDav
 6: [dns-01] Create verification records manually (auto-renew not possible)
 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 8: [dns-01] Create verification records with your own script
 9: [tls-alpn-01] Answer TLS verification request from win-acme
 C: Abort

 How would you like prove ownership for the domain(s)?: 2

输入 RSA 密钥 2，然后按 Enter。

 After ownership of the domain(s) has been proven, we will create a
 Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
 determines properties of the certificate like which (type of) key to use. If
 you are not sure what to pick here, RSA is the safe default.

 1: Elliptic Curve key
 2: RSA key
 C: Abort

 What kind of private key should be used for the certificate?: 2

选择选项 4 将证书存储在 Windows 证书存储中，然后按 Enter。

 When we have the certificate, you can store in one or more ways to make it
 accessible to your applications. The Windows Certificate Store is the default
 location for IIS (unless you are managing a cluster of them).

 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store
 5: No (additional) store steps

 How would you like to store the certificate?: 4

输入2，因为我们希望将其存储在通用计算机商店中，然后按Enter。

 1: [WebHosting] - Dedicated store for IIS
 2: [My] - General computer store (for Exchange/RDS)
 3: [Default] - Use global default, currently WebHosting

 Choose store to use, or type the name of another unlisted store: 2

输入5，因为我们不需要以其他方式存储它，然后按Enter。

 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store
 5: No (additional) store steps

 Would you like to store it in another way too?: 5

选择 1 在 IIS 中创建或更新 https 绑定，然后按 Enter。

 With the certificate saved to the store(s) of your choice, you may choose one
 or more steps to update your applications, e.g. to configure the new
 thumbprint, or to update bindings.

 1: Create or update bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps

 Which installation step should run first?: 1

输入 1 作为默认网站，然后按 Enter。

 1: Default Web Site
 2: Exchange Back End

 Choose site to create new bindings: 1

输入2启动外部脚本或程序，然后按Enter。

 1: Create or update bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps

 Add another installation step?: 2

添加 PowerShell 脚本路径 ./Scripts/ImportExchange.ps1 并按 Enter。 ACME 的下载包含脚本。查看 ACME 脚本文件夹。

 Description:        Path to script file to run after retrieving the
                     certificate. This may be any executable file or a
                     Powershell (.ps1) script.

 File: ./Scripts/ImportExchange.ps1

添加以下参数，包括服务 IIS、SMTP 和 IMAP。按输入。

 {CertCommonName}:   Common name (primary domain name)
 {CachePassword}:    .pfx password
 {CacheFile}:        .pfx full path
 {CertFriendlyName}: Certificate friendly name
 {CertThumbprint}:   Certificate thumbprint
 {StoreType}:        Type of store (e.g. CentralSsl, CertificateStore,
                     PemFiles, ...)
 {StorePath}:        Path to the store
 {RenewalId}:        Renewal identifier
 {OldCertCommonName}: Common name (primary domain name) of the previously
                      issued certificate
 {OldCertFriendlyName}: Friendly name of the previously issued certificate
 {OldCertThumbprint}: Thumbprint of the previously issued certificate

 Description:        Parameters for the script to run after retrieving the
                     certificate. Refer to
                     https://win-acme.com/reference/plugins/installation/script
                     for further instructions.

 Parameters: '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

我们不需要添加另一个安装步骤。按3，然后按Enter。

 1: Create or update bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps

 Add another installation step?: 3

按n不打开服务条款，然后按Enter。我们始终可以通过在文件资源管理器中打开 PDF 文件来查看服务条款。

Terms of service:   C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

 Open in default application? (y/n*) n

按 y 同意条款，然后按 Enter。

Do you agree with the terms? (y*/n) y

输入您的电子邮件并按Enter。

 Enter email(s) for notifications about problems and abuse (comma seperated): [email protected]

输出将显示它正在配置 Let’s Encrypt 证书。

 [autodiscover.exoip.com] Authorizing...
 [autodiscover.exoip.com] Authorizing using http-01 validation (SelfHosting)
 [autodiscover.exoip.com] Authorization result: valid
 [mail.exoip.com] Authorizing...
 [mail.exoip.com] Authorizing using http-01 validation (SelfHosting)
 [mail.exoip.com] Authorization result: valid
 Downloading certificate [Manual] mail.exoip.com
 Store with CertificateStore...
 Installing certificate in the certificate store
 Adding certificate [Manual] mail.exoip.com @ 2022/5/11 19:56:12 to store My
 Installation step 1/2: IIS...
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 Adding new https binding *:443:mail.exoip.com
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 Adding new https binding *:443:autodiscover.exoip.com
 Committing 2 https binding changes to IIS while updating site 1
 Installation step 2/2: Script...
 Script ./Scripts/ImportExchange.ps1 starting with parameters 'D8724E991E59BEA4D3EA364AC1E3EFB2668E932F' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\PTQ-g6p-2E6SpcZkRfpOQA-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx' '********' '[Manual] mail.exoip.com @ 2021/12/12 20:23:25'
 Script finished
 Adding Task Scheduler entry with the following settings
 - Name win-acme renew (acme-v02.api.letsencrypt.org)
 - Path C:\Program Files\Lets Encrypt
 - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 - Start at 09:00:00
 - Random delay 04:00:00
 - Time limit 02:00:00

我们不想指定要运行的任务的用户。按n，然后按Enter。系统用户帐户将用于运行该任务。

 Do you want to specify the user the task will run as? (y/n*) - no

 Adding renewal for [Manual] mail.exoip.com
 Next renewal due at 2022/7/5 19:55:25
 Certificate [Manual] mail.exoip.com created

单击Q并按Enter退出Let’s Encrypt Win-ACME应用程序。

 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (1 total)
 O: More options...
 Q: Quit

 Please choose from the menu: Q

Let’s Encrypt 证书已在 Exchange Server 中成功配置。

使用命令行安装 Let’s Encrypt 证书

以管理员身份运行命令提示符。更改 Lets Encrypt 文件夹的路径并运行命令。在命令末尾添加 -verbose 以显示正在发生的情况。

C:\>cd \program files\lets encrypt

C:\Program Files\Lets Encrypt>wacs.exe --target manual --host mail.exoip.com,autodiscover.exoip.com,download.mail.exoip.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose

运行命令后，系统将询问您几个有关服务条款的问题并输入电子邮件。

1. 在默认应用程序中打开服务条款：按n不打开服务条款。我们始终可以通过在文件资源管理器中打开 PDF 文件来查看服务条款。
2. 同意服务条款：按y 同意条款。
3. 电子邮件：输入您的电子邮件并按Enter。

请在下面查看接受服务条款后的完整输出。

C:\>cd \program files\lets encrypt

C:\Program Files\Lets Encrypt>wacs.exe --target manual --host mail.exoip.com,autodiscover.exoip.com,download.mail.exoip.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --verbose
 [VERB] Verbose mode logging enabled
 [VERB] ExePath: C:\Program Files\Lets Encrypt\wacs.exe
 [VERB] ResourcePath: C:\Program Files\Lets Encrypt\
 [VERB] PluginPath: C:\Program Files\Lets Encrypt\
 [VERB] Looking for settings.json in C:\Program Files\Lets Encrypt\
 [DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
 [DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
 [DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
 [VERB] W3SVC detected and running
 [VERB] No FTPSVC detected
 [DBUG] secrets.json not found
 [VERB] Arguments: --target manual --host mail.exoip.com,autodiscover.exoip.com,download.mail.exoip.com --certificatestore My --acl-fullcontrol network service,administrators --installation iis,script --installationsiteid 1 --script ./Scripts/ImportExchange.ps1 --scriptparameters '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}' --verbose
 [DBUG] Renewal period: 55 days
 [VERB] Sending e-mails False

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.1.22.1260 (release, pluggable, standalone, 64-bit)
 [INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
 [VERB] SecurityProtocol setting: SystemDefault
 [DBUG] Send GET to https://acme-v02.api.letsencrypt.org/directory
 [VERB] Request completed with status OK
 [DBUG] Connection OK!
 [DBUG] Running with administrator credentials
 [DBUG] IIS version 10.0
 [WARN] Scheduled task not configured yet
 [INFO] Please report issues at https://github.com/win-acme/win-acme
 [VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
 [INFO] Running in mode: Unattended
 [VERB] Adding 8.8.8.8 as DNS server
 [VERB] Adding 1.1.1.1 as DNS server
 [VERB] Adding 8.8.4.4 as DNS server
 [VERB] Parsed value for --host: mail.exoip.com,autodiscover.exoip.com,download.mail.exoip.com
 [VERB] No value provided for --commonname
 [INFO] Source generated using plugin Manual: mail.exoip.com and 2 alternatives
 [VERB] No value provided for --validationport
 [VERB] No value provided for --validationprotocol
 [VERB] Flag --ocsp-must-staple not present
 [VERB] Flag --reuse-privatekey not present
 [VERB] Parsed value for --certificatestore: My
 [VERB] Flag --keepexisting not present
 [VERB] Parsed value for --acl-fullcontrol: network service,administrators
 [VERB] No value provided for --ftpsiteid
 [VERB] Parsed value for --installationsiteid: 1
 [VERB] No value provided for --sslport
 [VERB] No value provided for --sslipaddress
 [VERB] Parsed value for --script: ./Scripts/ImportExchange.ps1
 [VERB] Parsed value for --scriptparameters: '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

 [VERB] Source converted into 1 order(s)
 [DBUG] Reading certificate cache
 [DBUG] No cache files found for renewal
 [DBUG] Reading certificate cache
 [DBUG] No cache files found for renewal
 [VERB] Obtain order details for Main
 [VERB] No existing order found
 [VERB] Creating order for hosts: ["DnsName: mail.exoip.com", "DnsName: autodiscover.exoip.com", "DnsName: download.mail.exoip.com"]
 [VERB] Constructing ACME protocol client...
 [VERB] Getting service directory...
 [DBUG] Send GET to https://acme-v02.api.letsencrypt.org/directory
 [VERB] Request completed with status OK
 [DBUG] No account found at C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
 [VERB] No account found, creating new one
 [DBUG] Send GET to https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
 [VERB] Request completed with status OK
 [VERB] Terms of service downloaded
 [VERB] Writing terms of service to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

 Terms of service:   C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

 Open in default application? (y/n*) - no

 Do you agree with the terms? (y*/n) - yes

 Enter email(s) for notifications about problems and abuse (comma-separated): [email protected]

 [DBUG] Creating new ES256 signer
 [DBUG] Send HEAD to https://acme-v02.api.letsencrypt.org/acme/new-nonce
 [VERB] Request completed with status OK
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/new-acct
 [VERB] Request completed with status Created
 [DBUG] Saving signer to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
 [DBUG] Saving account to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
 [VERB] ACME client initialized
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/new-order
 [VERB] Request completed with status Created
 [VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/539170266/87783048246 created
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/107516572406
 [VERB] Request completed with status OK
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/107516572416
 [VERB] Request completed with status OK
 [VERB] Handle authorization 1/2
 [INFO] [autodiscover.exoip.com] Authorizing...
 [VERB] [autodiscover.exoip.com] Initial authorization status: pending
 [VERB] [autodiscover.exoip.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
 [VERB] [autodiscover.exoip.com] Initial challenge status: pending
 [INFO] [autodiscover.exoip.com] Authorizing using http-01 validation (SelfHosting)
 [VERB] Starting commit stage
 [VERB] Commit was succesful
 [DBUG] [autodiscover.exoip.com] Submitting challenge answer
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/107516572406/DsPOPQ
 [VERB] Request completed with status OK
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/w7XzkVVwiXiMzx2QwJqSQkgwpemy6sVT-bts3XB3f6c
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/w7XzkVVwiXiMzx2QwJqSQkgwpemy6sVT-bts3XB3f6c
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/w7XzkVVwiXiMzx2QwJqSQkgwpemy6sVT-bts3XB3f6c
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/w7XzkVVwiXiMzx2QwJqSQkgwpemy6sVT-bts3XB3f6c
 [DBUG] Refreshing authorization (1/15)
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/107516572406/DsPOPQ
 [VERB] Request completed with status OK
 [INFO] [autodiscover.exoip.com] Authorization result: valid
 [VERB] Starting post-validation cleanup
 [VERB] Post-validation cleanup was succesful
 [VERB] Handle authorization 2/2
 [INFO] [mail.exoip.com] Authorizing...
 [VERB] [mail.exoip.com] Initial authorization status: pending
 [VERB] [mail.exoip.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
 [VERB] [mail.exoip.com] Initial challenge status: pending
 [INFO] [mail.exoip.com] Authorizing using http-01 validation (SelfHosting)
 [VERB] Starting commit stage
 [VERB] Commit was succesful
 [DBUG] [mail.exoip.com] Submitting challenge answer
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/107516572416/_yVW1w
 [VERB] Request completed with status OK
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/NPd-4G3z1_o_g_EwNj4rFpW34gkDnSANgjyRWsFk9Kg
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/NPd-4G3z1_o_g_EwNj4rFpW34gkDnSANgjyRWsFk9Kg
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/NPd-4G3z1_o_g_EwNj4rFpW34gkDnSANgjyRWsFk9Kg
 [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/NPd-4G3z1_o_g_EwNj4rFpW34gkDnSANgjyRWsFk9Kg
 [DBUG] Refreshing authorization (1/15)
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/107516572416/_yVW1w
 [VERB] Request completed with status OK
 [INFO] [mail.exoip.com] Authorization result: valid
 [VERB] Starting post-validation cleanup
 [VERB] Post-validation cleanup was succesful
 [VERB] Order 1/1 (Main): processing...
 [DBUG] Creating new private key at C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Orders\b5d3bcd2fa5ffa09c7962df544e418b8922717c7.order.keys...
 [DBUG] CSR stored at PwxG1EbkUkeYllA4pTvN1A-main-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-csr.pem in certificate cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
 [VERB] Submitting CSR
 [DBUG] Waiting for order to get ready (1/15)
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/order/539170266/87783048246
 [VERB] Request completed with status OK
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/finalize/539170266/87783048246
 [VERB] Request completed with status OK
 [INFO] Downloading certificate [Manual] mail.exoip.com
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/cert/038380a9e2e6686f2e599cec3feee42be87d
 [VERB] Request completed with status OK
 [VERB] Parsing certificate from 5800 bytes received
 [VERB] Parsing PEM data at range 0..2048
 [VERB] Parsing PEM data at range 2050..3875
 [VERB] Parsing PEM data at range 3877..5799
 [DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/cert/038380a9e2e6686f2e599cec3feee42be87d/1
 [VERB] Request completed with status OK
 [VERB] Parsing certificate from 3876 bytes received
 [VERB] Parsing PEM data at range 0..2048
 [VERB] Parsing PEM data at range 2050..3875
 [DBUG] Found 2 version(s) of the certificate
 [DBUG] Option 1 issued by DST Root CA X3 (thumb: 933C6DDEE95C9C41A40F9F50493D82BE03AD87BF)
 [DBUG] Option 2 issued by ISRG Root X1 (thumb: A053375BFE84E8B748782C7CEE15827A6AF5A405)
 [DBUG] Selected option 1
 [DBUG] Certificate written to cache file PwxG1EbkUkeYllA4pTvN1A-main-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx in certificate cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates. It will be reused when renewing within 1 day(s) as long as the --source and --csr parameters remain the same and the --force switch is not used.
 [VERB] Processing order 1/1: Main
 [VERB] W3SVC detected and running
 [VERB] No FTPSVC detected
 [DBUG] Certificate store: My
 [INFO] Store with CertificateStore...
 [INFO] Installing certificate in the certificate store
 [DBUG] Opened certificate store My
 [INFO] Adding certificate [Manual] mail.exoip.com @ 2022/5/11 20:17:25 to store My
 [VERB] CN=mail.exoip.com - CN=R3, O=Let's Encrypt, C=US (E5EB2A04299D2EA7D652EE919A563C00059E292E)
 [DBUG] Closing certificate store
 [VERB] Private key found at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeysf4cdf3b1f7376c3093ab6e08233d2a2_a3277ca2-c28c-4f25-ad1c-ecb55a72baa4
 [INFO] Add full control rights for network service
 [INFO] Add full control rights for administrators
 [VERB] CN=R3, O=Let's Encrypt, C=US - CN=ISRG Root X1, O=Internet Security Research Group, C=US (A053375BFE84E8B748782C7CEE15827A6AF5A405) already exists in CA
 [VERB] CN=ISRG Root X1, O=Internet Security Research Group, C=US - CN=DST Root CA X3, O=Digital Signature Trust Co. (933C6DDEE95C9C41A40F9F50493D82BE03AD87BF) already exists in CA
 [DBUG] Closing store CA
 [INFO] Installation step 1/2: IIS...
 [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 [INFO] Adding new https binding *:443:mail.exoip.com
 [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 [WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.
 [INFO] Adding new https binding *:443:autodiscover.exoip.com
 [INFO] Committing 2 https binding changes to IIS while updating site 1
 [DBUG] No update needed for default ftp site settings
 [INFO] Installation step 2/2: Script...
 [INFO] Script ./Scripts/ImportExchange.ps1 starting with parameters 'E5EB2A04299D2EA7D652EE919A563C00059E292E' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\PwxG1EbkUkeYllA4pTvN1A-main-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx' '********' '[Manual] mail.exoip.com @ 2022/5/11 20:17:25'
 [DBUG] Process launched: powershell.exe (ID: 6616)
 [VERB] NewCertThumbprint: E5EB2A04299D2EA7D652EE919A563C00059E292E
 [VERB] ExchangeServices: IIS,SMTP,IMAP
 [VERB] LeaveOldExchangeCerts: 1
 [VERB] RenewalId:
 [VERB] CacheFile: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\PwxG1EbkUkeYllA4pTvN1A-main-9abaf6286b9e2fb42d8311899c4c9eb496dd699e-temp.pfx
 [VERB] FriendlyName: [Manual] mail.exoip.com @ 2022/5/11 20:17:25
 [VERB] Searching for Exchange snapin...
 [VERB] Microsoft.Exchange.Management.PowerShell.E2010
 [VERB] Microsoft.Exchange.Management.PowerShell.SnapIn
 [VERB] Checking if certificate can be found in the right store...
 [VERB] Waiting for process to finish...
 [VERB] Updating Exchange services...
 [VERB] Waiting for process to finish...
 [VERB] Certificate set for the following services: IIS,SMTP,IMAP
 [VERB] Process output without data received
 [VERB] Process error without data received
 [INFO] Script finished
 [VERB] Waiting for process to finish...
 [INFO] Adding Task Scheduler entry with the following settings
 [INFO] - Name win-acme renew (acme-v02.api.letsencrypt.org)
 [INFO] - Path C:\Program Files\Lets Encrypt
 [INFO] - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 [INFO] - Start at 09:00:00
 [INFO] - Random delay 04:00:00
 [INFO] - Time limit 02:00:00
 [DBUG] Creating task to run as system user
 [INFO] Adding renewal for [Manual] mail.exoip.com
 [INFO] Next renewal due at 2022/7/5 20:16:38
 [INFO] Certificate [Manual] mail.exoip.com created
 [VERB] Exiting with status code 0

Win-ACME 成功下载了 Exchange Server 的 Let’s Encrypt 证书。它还正确地将其绑定到 Exchange 服务 IIS、SMTP 和 IMAP。

在下一篇文章中，我们将验证 Exchange Server 上的 Let’s Encrypt 配置。继续阅读如何检查 Let’s Encrypt 证书。

它对您在 Exchange Server 中安装 Let’s Encrypt 证书有帮助吗？

结论

在本文中，您学习了如何在 Exchange Server 中安装免费的 Let’s Encrypt 证书。在安装 Let’s Encrypt 证书之前设计和配置 Exchange 命名空间。请记住在防火墙上启用端口 80。如果不这样做，则无法与 Let’s Encrypt 连接来颁发证书。

您喜欢这篇文章吗？您可能还喜欢使用 PowerShell 获取 Exchange 证书。不要忘记关注我们并分享这篇文章。