Exchange 2016 - pull LE cert from pfsense
-
What do you use for getting a LetsEncrypt-Cert created on pfsense to an MS Exchange 2016 server in LAN or DMZ?
I currently have ACME on pfsense set up to create a SAN certificate for "imap.my.tld" and "smtp.my.tld" and have put the created p12-file to the exchange server. For sure I would prefer to have that automated.
In parallel there is a HAproxy frontend with SSL offloading for several other applications.
I see the possibility to use ACME (win-acme?) on the exchange and maybe use another port for the http-challenge.
Yes, multiple ways of doing it. Maybe there's a rather simple powershell-script to fetch the p12 and import it?
-
@sgw I don't have an answer as to copying the cert.
Back when we still managed on-premises Exchange I did experiment with LE once. I don't think I have any of the links anymore, sorry. It was quite a hassle for me to get working and while it did work a multi-SAN cert is cheap enough it didn't make sense to go through the effort. Granted it was many years ago, and I was starting from scratch with various .Net ACME clients in various stages of working, vs. most software is just "check this box to get an LE cert."
Remember the autodiscover.* SAN as well.
Seeing the writing on the wall, notably the high resource requirements for Exchange 2019 (128 GB RAM), and the continual need to install the quarterly updates at 1-2 hours each, all our small business clients are on 365 now.
-
@steveits I agree on avoiding Exchange on-premise. I don't even admin that server in detail, the customer decided to run a business application on-premise that relies heavily on MS and Exchange in particular. Told him straight away I wouldn't take care of those VMs because I don't know that application and I am not an Exchange-Admin. And I don't want to become one.
Now I slipped into setting up IMAP- and SMTP-connectors to attach an open source ticketing system .. that's what lead me to this certificate question.
For now it's working, but not yet automated. Looking for a powershell script to scp and import that p12-cert.
If Exchange should really require 128 GB RAM, that customer is out of the game anyway, the existing virtualization host is out of RAM nearly already.
thanks, Stefan -
@sgw said in Exchange 2016 - pull LE cert from pfsense:
If Exchange should really require 128 GB RAM, that customer is out of the game anyway
That was basically our thought process. I checked around a bit and some people with smaller servers said Exchange 2019 seemed to be OK with 64 or 92 but in the big picture I think Microsoft expects enterprises to run their own servers, and everyone else to use 365.
re: maintenance, Microsoft only releases security updates for supported versions of Exchange which is the last two Cumulative Updates of each version. This MS page is noisy but if you look closely only the Exchange 2016 CU22 and CU23 lines have links because they are supported, and CU21 has no updates after March. Essentially, every 3-6 months one must install a CU which in my experience takes 2-3 hours because it's essentially a full Exchange install each time. If someone isn't installing those, no security updates for Exchange are installed via Windows Update. It just quietly doesn't see any.
Exchange 2016 ends support in Oct. 2025. Microsoft only allows/supports migrations for the prior two versions. So your customer will need to move to Exchange 2019 or "Exchange 2022" or whatever it will be called by 2025.
None of that is anywhere near your question but that's why we moved off local hosting, and none of it is our problem anymore. :)