DavidRa

How-to Guide LetsEncrypt a 2012 R2 Web Application Proxy

Implementing LetsEncrypt for end-to-end SSL across IIS and WAP

  1. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    249
    Likes Received:
    107
    DavidRa submitted a new resource:

    LetsEncrypt a 2012 R2 Web Application Proxy - Implementing LetsEncrypt for end-to-end SSL across IIS and WAP

    Read more about this resource...
     
    #1
  2. frogtech

    frogtech Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    1,141
    Likes Received:
    117
    David,

    This is absolutely amazing. I've been waiting on a comprehensive resource regarding LE for Windows Server. Thanks for the write up and I look forward to implementing it shortly.

    Frogtech
     
    #2
    Chuntzu and Patrick like this.
  3. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    249
    Likes Received:
    107
    It's not quite complete - I still need to do a runthrough completely from scratch, fix some of the screencaps (Patrick did some configuration tweaking that will hopefully help with that).

    If you manage to do an implementation first, could you please note anything that is inaccurate or doesn't work, so I can update the guide?
     
    #3
    chilipepperz likes this.
  4. chilipepperz

    chilipepperz Active Member

    Joined:
    Mar 17, 2016
    Messages:
    179
    Likes Received:
    59
    Good job David.
     
    #4
  5. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    249
    Likes Received:
    107
    #5
    Chuntzu and Patrick like this.
  6. Stanthewizzard

    Stanthewizzard New Member

    Joined:
    Apr 22, 2016
    Messages:
    1
    Likes Received:
    0
    Great great post

    Everything works flawlessly except in the script at the end

    I got this

    Invoke-Command : Cannot bind parameter because parameter 'Session' is specified more than once. To pro
    values to parameters that can accept multiple values, use the array syntax. For example, "-parameter
    value1,value2,value3".
    At C:\letsencrypt\LetsEncryptIntegrationforWAP.ps1:39 char:20
    + Remove-PSSession -Session $TargetSession
    + ~~~~~~~~
    + CategoryInfo : InvalidArgument: :)) [Invoke-Command], ParameterBindingException
    + FullyQualifiedErrorId : ParameterAlreadyBound,Microsoft.PowerShell.Commands.InvokeCommandCommand


    I removed the line

    Thanks again
     
    #6
  7. JTTechNet

    JTTechNet New Member

    Joined:
    Apr 23, 2016
    Messages:
    1
    Likes Received:
    0
    This was exactly what I was looking for!

    Though I will note, we don't have Web Applications so I didn't follow that last part. Instead I was able to use IIS Centralized Certificates on all Proxy nodes and it works like a charm.

    The only minor issue is that IIS Centralized Certificates gives me a warning: "The system cannot find the file specified", and certificates show up with a red (X), but I can view the certificate when double-clicking on it. From what I've read it has something to do with how the pfx files are generated. The work around is apparently to install and then export the certificate, but that kinda defeats the whole automated process. IIS is serving up the certificates correctly using this method, so I'm not really concerned about that and don't feel like it impacts the overall working implementation. I just thought I'd mention it in case anyone else has a similar experience.

    Thanks so much for this :)
     
    #7
  8. Chocodile

    Chocodile New Member

    Joined:
    May 6, 2016
    Messages:
    2
    Likes Received:
    0
    David. That is a great article. I am wondering how I can setup an Exchange 2016 server behind the reverse proxy with LE? I tested today setting up LE directly on an Exchange 2016 server but noticed that after I imported the cert into Exchange 2016 and it gave a warning that "revocation check failed". I was wondering if i should undo that implementation of LE and instead set it up like you suggest? Any thoughts if this would work correctly with Exchange 2016 behind it?
     
    #8
  9. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    249
    Likes Received:
    107
    The revocation check would ordinarily involve retrieving the CRL for the certificate; LE does not support revocation, so there isn't a CRL. Can you give some more detail about what is complaining? Is it Import-ExchangeCertificate perhaps, or Enable-ExchangeCertificate? Or is it a web browser complaining when you hit OWA? Mobile device using EAS?
     
    #9
  10. Chocodile

    Chocodile New Member

    Joined:
    May 6, 2016
    Messages:
    2
    Likes Received:
    0
    David. I had followed Create a SAN certificate for Exchange 2016 · Lone-Coder/letsencrypt-win-simple Wiki · GitHub to setup the cert, which worked perfectly well. I went into the certificates MMC afterwards and exported the certificate and then imported it into Exchange. I honestly thought Exchange would look to that same store but via PS I did not see it. Anyways, after assigning it to IIS, SMTP, POP, IMAP via the web Gui I got that error. I ended up deleting the cert from Exchange, and importing it from
    userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org which the instructions stated, and then I applied it. This time no issues. I notice there is no friendly name on the LE cert, but maybe that is normal? I came across your article during trouble shooting and liked your WAP setup. I was reading last night on setting up Exchange 2013/2016 behind a WAP but really didn't find anything; which is why I posted to see if you had done a setup like this with LE?
     
    #10
  11. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    249
    Likes Received:
    107
    OK time for an update or two. As GurliGebis mentions on issue 195 for the LE client, manual renewals don't work. I'm working out a good (read scalable, manageable) way of doing this better so renewals work properly. early thoughts are going to be to define ALL sites on the LE management server, and use the IIS plugin to renew certificates. I need to run through that and test.

    My own Exchange 2013 server is reverse-proxied by WAP using LE certificates - it does work cleanly. It sounds like perhaps the original import did not include the private key or perhaps wasn't the certificate you expected it to be.
     
    #11
    Patrick likes this.
  12. Bill1950

    Bill1950 Member

    Joined:
    Aug 12, 2016
    Messages:
    98
    Likes Received:
    18
    Gentlemen...

    I might have a few easy questions. (I admit NOT reviewing all the documentation, but support the concept.)

    I could not find any reference to secure cryptographic hardware. Do you plan to implement that feature to protect the private keys and offload public / private key processing?

    Are there any considerations for using SSL options and features, particularly the Private Isolated Root Mutual Authentication scheme, for securing remote access to the server(s)?
     
    #12
  13. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    249
    Likes Received:
    107
    Well, it be not up to us to implement either of those schemes - you're far better off I think asking the question on the LetsEncrypt forums.
     
    #13
  14. AndrewS

    AndrewS New Member

    Joined:
    Jan 8, 2019
    Messages:
    1
    Likes Received:
    0
    I know this is an old thread so apologies for posting here but ADFS/LetsEncrypt documentation is still really scarce.

    Your guide has led me to a working ADFS implementation. I have a question though - the powershell script updates the SSL certs on the proxy servers but doesn't update it on the ADFS server. Is there a simple way to update the LE cert on the ADFS server too?

    Thanks, Andrew.
     
    #14

Share This Page