ImportExchange script needs additional steps

[mauriciocirelli]

Dear,

I have been using win-acme to renew Microsoft Exchange 2013 certificates for my organization for several months so far.
Everytime a certificate is renewed, I get certificate warnings on OWA.
In order to fix it, I have found that I had to run the following commands in Exchange Management Shell:

Set-AuthConfig -NewCertificateThumbprint {{THUMBPRINT}} -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

Doing so and restarting Microsoft Exchange Service Host and WebAppPools (OWA and ECP) fixes the issue.

It seems that the script is installing the certificate but it is not publishing it.

Any thoughts would be much appreciated.

Thank you.

[WouterTinus]

I don't know enough about Exchange to make any authoritative comments on those commands, I just know that there are many different versions and deployment scenarios, perhaps too many for one (example) script to rule them all.

My advice would be to create your own copy of the example, modify it to your needs, and point your renewal to use that one. I'm happy to accept PR for an improved example but I'd only trust if it was tested on multiple versions of Exchange.

[tapsiturtle]

We have the same with Exchange 2016 and 2019. I will try the mentioned commands and see if they help. Unfortunately i don*t have time in the next two weeks for testing but i hope these commands will solve this problem.

[Legacy777]

Did you setup these certificates via the command line or the interactive menu? I used the command line text as noted in the example on Exchange 2019 and it's been working without any issues. I've got 10 renewals that have worked great, the certificate updated and applied to the appropriate services, and the old one removed.

[mauriciocirelli]

@Legacy777 I have done it using the command line.
However, I am using Exchange 2013. I think it is very different from 2019.
We have moved to Exchange Online some months ago, so Exchange Servers integration is not an issue for us anymore.

[Legacy777]

@mauriciocirelli, sorry I didn't pay attention to the date on this.

[darthmarx]

Please note that

Set-AuthConfig -NewCertificateThumbprint

applies to the Exchange Server Auth Certificate only. The Certificate issued with win-acme is only for front end connectivity.

[DavidMatthewson]

I'm just about to try this on an MSX 2010 box and will report back what happens.. Probably on Monday/Tuesday 15th 16th.

[DavidMatthewson]

OK, I tried this on an MSX 2010 box, using the 'v1' ImportExchange.ps1 script, and it seems to be working fine.

The sample script looks like this:
wacs.exe --source manual --host mail.example.com,webmail.example.com,autodiscover.example.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

I changed the --host names to match what I needed, and set the 'clean up old certs' flag from '1' to '0' , so IIS,SMTP,IMAP' 1 becomes IIS,SMTP,IMAP' 0

The first time I ran it th logs showed warnings for the IIS bindings:
*:443:autodiscover.company.net
[WARN] Our best match was the default binding and it seems there are other non-SNI enabled bindings listening to the same endpoint, which means we cannot update it without potentially causing problems. Instead, a new binding will be created. You may manually update the bindings if you want IIS to be configured in a different way.

And indeed this was true. So I ended up with 4 more bindings, one for each --host value,as well as the 2 default ones. This still seems to work fine, OWA works and SMTP is using the correct cert.

The second time I ran the script I got no warnings or errors - so I can confirm it works fine with MSX 2010 - out of the box. Great stuff.