2018-07-20

Exchange 2016 採用 Let's Encrypt 憑證的方法與 Auto Renew

Let's Encrypt 真是進年度最偉大的服務了
上次用 Let's Encrypt 佈署 Remote Desktop Gateway 後, 這次要來佈署 Exchange 2016

採用的版本是 LetsEncryptWinSimple.v1.9.11.2 (直接下載連結)
解壓縮後我把他放到 Exchange Server 的 C:\Cert\LetsEncryptWinSimple.v1.9.11.2 路徑
接著執行 letsencrypt.exe



這裡我選 M



這裡我選 4 , 因為要輸入多個 FQDN

接著輸入連接 Exchange 用的主要 FQDN: webmail.contoso.com
以及 Auto Discover 用的 FQDN: autodiscover.contoso.com
選擇以 webmail.contoso.com.tw 為憑證的主要 FQDN









選擇驗證方式, 這裡我選 3 將驗證檔案放到指定的路徑去














指定的路徑放到 IIS 的 Root 去
順便讓他自己幫我們設定好 web.config
然後在驗證成功取得憑證後不需要自動 Run 任何 Script














在上面這張圖片按下 Enter 之前, 有一些動作必須要先完成
安裝 Exchange 2016 後 IIS 預設不會接受 HTTP 無加密的連線, 只接受 HTTPS
所以為了要讓 Let's Encrypt 能透過 HTTP 的方式驗證我們的合法性
必須先將 HTTP 打開

到 IIS 主控台 -> Default Web Site 點選右邊的 SSL Settings
把 Require SSL 的勾勾拿掉 (要到憑證後記得要勾回來)

之後按下 Enter, 經過一些連線驗證後就可以取得憑證了
憑證會放在 C:\ProgramData\win-acme\httpsacme-v01.api.letsencrypt.org
下圖當然不會成功了, 因為範例寫 contoso.com













Auto Renew 的部份:


$PublishedURL = "webmail.Contoso.com"
$ExchangeServer = $("EX-01","EX-02")
$Domain = "Contoso.com"
$LetsEncryptWinSimplePath = "C:\Cert\LetsEncryptWinSimple.v1.9.11.2\"
$PFXPath = "C:\ProgramData\win-acme\httpsacme-v01.api.letsencrypt.org\"

cd $LetsEncryptWinSimplePath
$DateTimeString = Get-Date -format yyyyMMdd_HHmmss
$TranscriptLog = (Get-Item -Path ".\" -Verbose).FullName + "\Logs\" + ("CertRenew_" + $DateTimeString + ".log")
start-transcript -path $TranscriptLog

write-host ""
write-host "*** Cert Renew"
write-host ""

$CommandLine = $LetsEncryptWinSimplePath
$CommandLine+="letsencrypt.exe --renew"
cmd /c $CommandLine

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

$PFXFullPath = "$PFXPath$PublishedURL-all.pfx"
$NewCertProperties = Get-PfxCertificate -FilePath $PFXFullPath | Select Thumbprint,NotAfter
$LastCertProperties = Get-ExchangeCertificate | where {$_.Subject -eq "CN=$PublishedURL"} | select Thumbprint,NotAfter

$NewCertThumbprint = $NewCertProperties.Thumbprint
$NewCertNotAfter = $NewCertProperties.NotAfter
$LastCertThumbprint = $LastCertProperties.Thumbprint
$LastCertNotAfter = $LastCertProperties.NotAfter

write-host 
write-host "New  Cert Thumbprint is: $NewCertThumbprint"
write-host "New  Cert NotAfter is: $NewCertNotAfter"
write-host 
write-host "Last Cert Thumbprint is: $LastCertThumbprint"
write-host "Last Cert NotAfter is: $LastCertNotAfter"
write-host 

if ($NewCertNotAfter -lt $LastCertNotAfter) {
write-host "New Cert's ExpireDate is Less then the old one, Please check."
Stop-Transcript
exit;
}

if ($NewCertThumbprint -eq $LastCertThumbprint) {
write-host "Cert Doesn't Change, Program Close, Please check."
Stop-Transcript
exit;
}

write-host ""
write-host "*** Copy Cert to Other Servers"
write-host ""

foreach ($ExServer in $ExchangeServer) {
if ($ExServer -ne $Env:ComputerName) {
write-host Get-ChildItem -Path $PFXPath | Copy-Item -Destination "\\$ExServer.$Domain\$($PFXPath.Replace(":","$"))" -Force -Confirm:$false
Get-ChildItem -Path $PFXPath | Copy-Item -Destination "\\$ExServer.$Domain\$($PFXPath.Replace(":","$"))" -Force -Confirm:$false
};
};

write-host ""
write-host "*** Import New Cert"
write-host ""

$CommandLine = 'C:\Windows\System32\certutil.exe -f -p "" -importpfx "'+$PFXFullPath+'" NoExport'
cmd /c $CommandLine

write-host ""
write-host "*** Enable New Cert on Exchange"
write-host ""

Enable-ExchangeCertificate -Thumbprint $NewCertThumbprint -Services POP,IMAP,IIS,SMTP -Force -Confirm:$false -ErrorAction Stop
Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,Services

write-host ""
write-host "*** Reset IIS"
write-host ""

iisreset

write-host ""
write-host "*** Remove Last Cert"
write-host ""

Remove-ExchangeCertificate -Thumbprint $LastCertThumbprint -Confirm:$false
Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,Services

Stop-Transcript
exit;

沒有留言:

張貼留言