Exchange ACME PowerShell Script

This is the PowerShell script I use to automatically update a Let’s Encrypt SSL Certificate on Exchange 2016 running on Windows Server 2016 using Posh-ACME.  Let’s Encrypt certificates are valid for 3 months, but I set the script to run once a month, so that if there is some type of temporary problem it gets two more tries before the expiration.

# Install the Posh-ACME module.
Install-Module -Name Posh-ACME
# Use the production server.
Set-PAServer LE_PROD
# Define the variables.
$contact = 'user@example.com'
$pluginArguments =@{GDKey='xxxxxxxxxxxxxxxx';GDSecret='xxxxxxxxxxxxxxxx'}
$pfxPassword = 'SuperSecretPassword'
$certificatePath = 'C:\Users\administrator\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\12345678\mail.example.com\cert.pfx'
$certFriendlyName = "mail.example.com_$($(get-date -format yyyy-MM-dd--HH-mm))"

# Generate the certificate.
New-PACertificate 'mail.example.com','autodiscover.example.com','mail.domain.com','autodiscover.domain.com' -AcceptTOS -Contact $contact -DnsPlugin GoDaddy,GoDaddy,GoDaddy,GoDaddy -PluginArgs $pluginArguments -DnsAlias 'mail.example.acme.example.com','autodiscover.example.acme.example.com','mail.domain.acme.example.com','autodiscover.domain.acme.example.com' -PfxPass $pfxPassword -force

# Invoke the Exchange Management PowerShell snapin.
Invoke-Expression "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;"

# Import the certificate into Exchange and set it to run all the necessary services.
Import-ExchangeCertificate -FileName $certificatePath -FriendlyName $certFriendlyName -Password (ConvertTo-SecureString -String $pfxPassword -AsPlainText -Force) | Enable-ExchangeCertificate -Services POP,IMAP,SMTP,IIS -Force

# Restart IIS.
iisreset

# Disable "Require SSL" for the Default Web Site. This allows IIS to redirect HTTP requests to HTTPS if configured (optional).
Set-WebConfiguration -Location "Default Web Site" -Filter 'system.webserver/security/access' -Value None

1 comment

  1. I received the following email:

    Thanks for posting the script for posh-acme on exchange, it works great! I made a slightly modified version I wanted to share. Cool website and thanks
    again

    #Set-PAServer LE_STAGE # testing, dry run.
    Set-PAServer LE_PROD # production use

    # Domain
    Set-PAOrder example.com

    # Check renew.
    $cert = Submit-Renewal

    # Do something.
    if ($cert) {

    $certFriendlyName = “example.com_$($(get-date -format yyyy-MM-dd–HH-mm))”
    $certificatePath = “C:\certs\example.com\$certFriendlyName.pfx”
    $pfxPassword = ‘pfxpass’

    # COPY CURRENT CERT TO PATH. %appdata%\Posh-ACME\
    $cert = Get-PACertificate Copy-Item -Path $cert.PfxFile -Destination $certificatePath

    # Invoke the Exchange Management PowerShell snapin.
    Invoke-Expression “Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;”

    # Import the certificate into Exchange and set it to run all the necessary services.
    Import-ExchangeCertificate -FileName $certificatePath -FriendlyName $certFriendlyName -Password (ConvertTo-SecureString -String $pfxPassword -AsPlainText -Force) | Enable-ExchangeCertificate -Services POP,IMAP,SMTP,IIS -Force

    # Restart IIS
    iisreset

    # Disable “Require SSL” for the Default Web Site. This allows IIS to redirect HTTP requests to HTTPS if configured (optional).
    Set-WebConfiguration -Location “Default Web Site” -Filter ‘system.webserver/security/access’ -Value None

    #Send email
    Send-MailMessage -From ‘acme@example.com’ -To ‘admin@example.com’ -Subject ‘CERT REWNEW: example.com’ -Body “Renewed Cert: $certFriendlyName” -SmtpServer 127.0.0.1

    }

    exit

Leave a comment

Your email address will not be published. Required fields are marked *