DavidRa

LetsEncrypt a 2012 R2 Web Application Proxy

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
DavidRa submitted a new resource:

LetsEncrypt a 2012 R2 Web Application Proxy - Implementing LetsEncrypt for end-to-end SSL across IIS and WAP

Overview

With Chrome (and presumably Edge and Firefox in the future) beginning to move towards an "SSL preferred" world (and I postulate a future move to "enforced SSL"), it's beginning to look like HTTPS will be required for most sites.

Microsoft-centric environments generally have websites hosted on IIS - possibly plain webs, but also LOB applications, Exchange, SharePoint etc (yes, there's the cloud - but that doesn't suit all organisations)....
Read more about this resource...
 

frogtech

Well-Known Member
Jan 4, 2016
1,482
272
83
35
David,

This is absolutely amazing. I've been waiting on a comprehensive resource regarding LE for Windows Server. Thanks for the write up and I look forward to implementing it shortly.

Frogtech
 
  • Like
Reactions: Chuntzu and Patrick

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
David,

This is absolutely amazing. I've been waiting on a comprehensive resource regarding LE for Windows Server. Thanks for the write up and I look forward to implementing it shortly.

Frogtech
It's not quite complete - I still need to do a runthrough completely from scratch, fix some of the screencaps (Patrick did some configuration tweaking that will hopefully help with that).

If you manage to do an implementation first, could you please note anything that is inaccurate or doesn't work, so I can update the guide?
 
  • Like
Reactions: chilipepperz

Stanthewizzard

New Member
Apr 22, 2016
1
0
1
47
48.84015,2.261973
www.stanetdam.com
Great great post

Everything works flawlessly except in the script at the end

I got this

Invoke-Command : Cannot bind parameter because parameter 'Session' is specified more than once. To pro
values to parameters that can accept multiple values, use the array syntax. For example, "-parameter
value1,value2,value3".
At C:\letsencrypt\LetsEncryptIntegrationforWAP.ps1:39 char:20
+ Remove-PSSession -Session $TargetSession
+ ~~~~~~~~
+ CategoryInfo : InvalidArgument: :)) [Invoke-Command], ParameterBindingException
+ FullyQualifiedErrorId : ParameterAlreadyBound,Microsoft.PowerShell.Commands.InvokeCommandCommand


I removed the line

Thanks again
 

BasementCloud

New Member
Apr 23, 2016
1
0
1
41
This was exactly what I was looking for!

Though I will note, we don't have Web Applications so I didn't follow that last part. Instead I was able to use IIS Centralized Certificates on all Proxy nodes and it works like a charm.

The only minor issue is that IIS Centralized Certificates gives me a warning: "The system cannot find the file specified", and certificates show up with a red (X), but I can view the certificate when double-clicking on it. From what I've read it has something to do with how the pfx files are generated. The work around is apparently to install and then export the certificate, but that kinda defeats the whole automated process. IIS is serving up the certificates correctly using this method, so I'm not really concerned about that and don't feel like it impacts the overall working implementation. I just thought I'd mention it in case anyone else has a similar experience.

Thanks so much for this :)
 

Chocodile

New Member
May 6, 2016
2
0
1
52
David. That is a great article. I am wondering how I can setup an Exchange 2016 server behind the reverse proxy with LE? I tested today setting up LE directly on an Exchange 2016 server but noticed that after I imported the cert into Exchange 2016 and it gave a warning that "revocation check failed". I was wondering if i should undo that implementation of LE and instead set it up like you suggest? Any thoughts if this would work correctly with Exchange 2016 behind it?
 

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
I tested today setting up LE directly on an Exchange 2016 server but noticed that after I imported the cert into Exchange 2016 and it gave a warning that "revocation check failed". I was wondering if i should undo that implementation of LE and instead set it up like you suggest? Any thoughts if this would work correctly with Exchange 2016 behind it?
The revocation check would ordinarily involve retrieving the CRL for the certificate; LE does not support revocation, so there isn't a CRL. Can you give some more detail about what is complaining? Is it Import-ExchangeCertificate perhaps, or Enable-ExchangeCertificate? Or is it a web browser complaining when you hit OWA? Mobile device using EAS?
 

Chocodile

New Member
May 6, 2016
2
0
1
52
David. I had followed Create a SAN certificate for Exchange 2016 · Lone-Coder/letsencrypt-win-simple Wiki · GitHub to setup the cert, which worked perfectly well. I went into the certificates MMC afterwards and exported the certificate and then imported it into Exchange. I honestly thought Exchange would look to that same store but via PS I did not see it. Anyways, after assigning it to IIS, SMTP, POP, IMAP via the web Gui I got that error. I ended up deleting the cert from Exchange, and importing it from
userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org which the instructions stated, and then I applied it. This time no issues. I notice there is no friendly name on the LE cert, but maybe that is normal? I came across your article during trouble shooting and liked your WAP setup. I was reading last night on setting up Exchange 2013/2016 behind a WAP but really didn't find anything; which is why I posted to see if you had done a setup like this with LE?
 

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
OK time for an update or two. As GurliGebis mentions on issue 195 for the LE client, manual renewals don't work. I'm working out a good (read scalable, manageable) way of doing this better so renewals work properly. early thoughts are going to be to define ALL sites on the LE management server, and use the IIS plugin to renew certificates. I need to run through that and test.

My own Exchange 2013 server is reverse-proxied by WAP using LE certificates - it does work cleanly. It sounds like perhaps the original import did not include the private key or perhaps wasn't the certificate you expected it to be.
 
  • Like
Reactions: Patrick

Bill1950

Member
Aug 12, 2016
109
19
18
74
Gentlemen...

I might have a few easy questions. (I admit NOT reviewing all the documentation, but support the concept.)

I could not find any reference to secure cryptographic hardware. Do you plan to implement that feature to protect the private keys and offload public / private key processing?

Are there any considerations for using SSL options and features, particularly the Private Isolated Root Mutual Authentication scheme, for securing remote access to the server(s)?
 

AndrewS

New Member
Jan 8, 2019
1
0
1
I know this is an old thread so apologies for posting here but ADFS/LetsEncrypt documentation is still really scarce.

Your guide has led me to a working ADFS implementation. I have a question though - the powershell script updates the SSL certs on the proxy servers but doesn't update it on the ADFS server. Is there a simple way to update the LE cert on the ADFS server too?

Thanks, Andrew.