はじめに
Exchangeでautodiscoverが接続できなかったり、SSLの警告がでるのがうざかったのでLet's Encryptすることにした。
ExchangeはTLSの関係で、エラーがでるとoutlookに自動設定できません。
DNS-01 チャレンジはAmazonのroute53のAPIで接続
AWS access key IDとAWS secret access keyをアマゾン側で発行しておく必要があります。
はまった内容
下記を利用
win-acme.v2.1.17.1065.x64.pluggable.zip
plugin.validation.dns.route53.v2.1.17.1065.zip
プラグインはとりあえず、win-acmeのフォルダーの中へコピー
ドメインは、外部に公開されないようにしていたので、DNS-01 チャレンジを設定しようといろいろ
やっていたらExchange管理センター(ecp)がログイン後、まっしろに。。。
やっちまった・・・・・・・よぉ。。
Exchange管理センターはlocalhost 433から444へリダイレクトしているようで、win-acmeでいろいろやっているうちに設定がとんじゃったみたい・・
内部だけならActiveDirectory証明書サービスでプライベート認証局サーバを・・・って言わないでね・・
調査
Exchange管理センターがログインできないので証明書がどうなっているのかわからん。。汗
メニューに証明書らしきがない。。
Windows管理ツールメニューからインターネットインフォメーションサービスマネジャーを起動して
全項目みていって、発見!!
2か所見つけました。。
バインドから入った下記が未選択になっていたので
下記で設定
上記がわかれば、削除したり、変更できます。。IISで管理画面やめようよぉ・・・・
ログインしたらとりあえずつながった。。汗
最近ずっと、こんなのばっかり・・・・
成功したときのログ。
取得するSSLのドメインを確認はこちらから
https://www.omakase.net/blog/2021/05/outlook2019.html
Enter comma-separated list of host names, starting with the common name:って聞かれたらowaとautodiscoverの2つを入れる感じ
複数はカンマで区切ります。
Microsoft Windows [Version 10.0.17763.1935]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Program Files\letsencrypt>wacs.exe
A simple Windows ACMEv2 client (WACS)
Software version 2.1.17.1065 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: M
Running in mode: Interactive, Advanced
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.
1: Read site bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort
How shall we determine the domain(s) to include in the certificate?: 2
Enter comma-separated list of host names, starting with the common name: xxx.xxxx.xxx.xxxx,xxx.xxxx.xxx.xxxx
Target generated using plugin Manual: xxx.xxxx.xxx.xxxx
Suggested friendly name '[Manual] xxx.xxxx.xxx.xxxx', press to accept or type an alternative:
The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.
1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records in AWS Route 53
7: [dns-01] Create verification records manually (auto-renew not possible)
8: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
9: [dns-01] Create verification records with your own script
10: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort
How would you like prove ownership for the domain(s)?: 6
AWS IAM role for current EC2 instance (blank for default):
AWS access key ID: *******************
AWS secret access key: ****************************************
After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
C: Abort
What kind of private key should be used for the certificate?: 2
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps
How would you like to store the certificate?: 4
1: [WebHosting] - Dedicated store for IIS
2: [My] - General computer store (for Exchange/RDS)
3: [Default] - Use global default, currently WebHosting
Choose store to use, or type the name of another unlisted store: 2
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps
Would you like to store it in another way too?: 5
With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps
Which installation step should run first?: 1
1: Default Web Site
2: Exchange Back End
Choose site to create new bindings: 1
1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps
Add another installation step?: 3
Full instructions: https://www.win-acme.com/reference/plugins/installation/script
Enter the path to the script that you want to run after renewal: ./Scripts/ImportExchange.ps1
{CertCommonName}: Common name (primary domain name)
{CachePassword}: .pfx password
{CacheFile}: .pfx full path
{CertFriendlyName}: Certificate friendly name
{CertThumbprint}: Certificate thumbprint
{StoreType}: Type of store (CentralSsl/CertificateStore/PemFiles)
{StorePath}: Path to the store
{RenewalId}: Renewal identifier
{OldCertCommonName} Common name (primary domain name) of the previously
issued certificate
{OldCertFriendlyNam Friendly name of the previously issued certificate
{OldCertThumbprint} Thumbprint of the previously issued certificate
Enter the parameter format string for the script, e.g. "--hostname {CertCommonName}": '{CertThumbprint}' 'IIS,SMTP,POP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'
1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps
Add another installation step?: 4
Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf
Open in default application? (y/n*) - yes
Do you agree with the terms? (y*/n) - yes
Enter email(s) for notifications about problems and abuse (comma-separated): xxxx@xxxxx.xxx
[xxx.xxxx.xxx.xxxx] Authorizing...
[xxx.xxxx.xxx.xxxx] Authorizing using dns-01 validation (Route53)
Creating TXT record _acme-challenge.xxx.xxxx.xxx.xxxx with value nxxxx_xxxx-xxxx
Waiting for DNS changes propagation
[xxx.xxxx.xxx.xxxx] Preliminary validation succeeded
[xxx.xxxx.xxx.xxxx] Authorization result: valid
Deleting TXT record _acme-challenge.xxx.xxxx.xxx.xxxx with value nxxxx_xxxx-xxxx
Requesting certificate [Manual] xxx.xxxx.xxx.xxxx
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] xxx.xxxx.xxx.xxxx @ 20xx/xx/xx 11:34:40 to store My
Installation step 1/2: IIS...
Updating existing https binding :443 (flags: 0)
Adding new https binding 127.0.0.1:443:
Committing 2 https binding changes to IIS
Installation step 2/2: Script...
Script ./Scripts/ImportExchange.ps1 starting with parameters 'xxxxxxxxxxx' 'IIS,SMTP,POP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\pkr_xxx-xxxx-xxxxxxxxx-temp.pfx' 'xxxxxxxxxxxxxxxxxx=' '[Manual] xxx.xxxx.xxx.xxxx @ 2021/5/26 11:34:40'
Script finished
Scheduled task looks healthy
Adding renewal for [Manual] xxx.xxxx.xxx.xxxx
Next renewal scheduled at 20xx/xx/xx 11:33:09
Certificate [Manual] xxx.xxxx.xxx.xxxx created
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Please choose from the menu: Q
完了するとタスクスケジューラに自動更新の設定がされているので確認しておきましょう!
さいごに
向いていないことはやってはいけません。きちんと業者さんへお願いしましょう!
SSLも有償のものでね!
Microsoft Exchange Onlineがいいなぁ。。つかうなら・・・もうオンプレは・・・やりたくない・・
