Can you Use ‘Let’s Encrypt’ on Hybrid Exchange?

KB ID 0001770

Problem

A few months ago I wrote an article about getting free exchange certificates with Lets ‘Encrypt’. And that still works peachy, I implemented it on my test Exchange 2019 server (in Hybrid mode) and all appeared well. 

Some time later, (remember this is my test network so it’s not in production.) I noticed that mail was not getting forwarded from O365 to the on premises Exchange server. I’ve also had to fix similar problems like this before here.

These were to sort of errors I was seeing;

450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB8EUR05FT046.eop-eur05.prod.protection.outlook.com]

450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 TLS negotiation failed with error SocketError] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB3EUR04FT033.eop-eur04.prod.protection.outlook.com]

So the problem is obviously something to do with the certificate on the on premises server, so either it’s misconfigured or Microsoft O365 does not like the ‘Lets Encrypt’ certificate.

Solution

Firstly I made sure the send and receive connecters were using the correct certificate.

 

[box]

Get-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" | fl TlsCertificateName  
Get-SendConnector "Outbound to Office 365" | fl TlsCertificateName  

[/box]

Note: Above, change the server names and send connector name to match your own.

At this point I was pretty sure that the problem was with that cert so I bought myself a 12 month SSL cert (for the princely sum of $17) and used that instead.

How To Swap Hybrid Connector Certificates

Get the Thumbprint for the NEW publicly signed certificate (Get-ExchangeCertificate). Then use the following PowerShell.

[box]

$cert = Get-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename
Set-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" -TlsCertificateName $tlscertificatename
Restart-Service MSExchangeTransport

[/box]

Now recheck the connectors again;

 

Then attempt to re-validate the connector in Office 365, and it works straight away.

SO NO YOU CAN’T USE ‘LETS ENCRYPT’ FREE CERTIFICATES IF YOUR EXCHANGE SERVER IS IN HYBRID MODE

Related Articles, References, Credits, or External Links

Office 365: Migrating To Exchange Online

Free Exchange Certificate

No Mail Flow On-Premises To/From Office 365

Free Certificate for IIS with Let’s Encrypt

KB ID 0001736

Problem

I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, their certificates have a short (3 month) lifespan, and I see enough things breaking when people forget to renew 12 month certificates! This site went down a couple of years ago because the certificate expired while I was on holiday in Las Vegas, and is was a pain to get fixed!

I’ve got some work coming up that requires me to have a publicly signed certificate, so I thought I’d give it a whirl, it was incredibly easy and painless.

  • Server OS (Server 2019 Standard build 1809)
  • IIS Version 10.0.17763.1

Free Certificate Prerequisites

Obviously you need a Windows server, with the IIS role installed, and a website that you want to secure. It does not already need to have a certificate or have https configured, if you have or have not already done that it will all be reconfigured for you! In additional you need a publicly registered domain name, you’re on my website so you know I have one of those, and finally a DNS host record (A Record) that you will use to browse to the web server. The will be ‘stamped’ onto the certificate as the certificate common name (CN).

The website will need to be publicly accessible via TCP Port 443 (https) on the IP address you’ve set in public DNS.

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Extract the contents of that zip file to a folder on your hard drive.

Apply For & Install the Free Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Press ‘n‘ for create certificate.

I’ve only got one website, you may be hosting multiple sites, select the appropriate number.

I’m replacing every binding (you can have multiple bindings per site, but I’ve never seen that myself) > It then shows the bindings it finds > Select ‘A’ for all.

Yes to continue > No (unless you want the EULA to open in a web window for you to read) > Yes to agree to the terms (without reading them, shame on you!) > Enter a contact email address.

The software will go and get your certificate, install it, and bind it to your website. If it fails at this point it’s usually because the name for the certificate does not match your public DNS name, or the firewall is stopping your traffic.

Force IIS to Use Let’s Encrypt Free Certificate

To force client to use HTTPS and not HTTP, you will need to tick the option below (Require SSL);

If you take a look at your certificate you will see it’s got a three month lifespan, BUT, you dont have to worry about renewing it because…

Let’s Encrypt Free Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like entering the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt IIS Free Certificate & Settings

  1. Remove the certificate from IIS.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA