Let’s Encrypt and Skype for Business

Posted by erwin on Monday, August 14, 2017

For my home lab I’m using the free certificates from Let’s Encrypt (Let’s Encrypt is a free, automated, and open Certificate Authority).

The certificates from them have 1 big limitation, they are only valid for 3 months but you can renew them “almost” automatically.

As explained In my blog last week about “Skype for Business environment running with just one public IP” I’m running my Reverse Proxy with IIS ARR (Application Request Routing). I’ll try to explain how to request and assign the free certificates for your homelab.

Configuration IIS ARR

Follow the instruction from my other blog “How to configure IIS ARR for Skype for Business

Firewall Settings

Make sure you open the following ports on your firewall, for the check only 80443 are required.

Source Destination Port Protocol Note
Any 192.168.178.34 443 TCP To Reverse Proxy
Any 192.168.178.34 80 TCP To Reverse Proxy

DNS Settings

In the next chapter you’re going to request the certificates. The mechanism works as follows: The executable is going to resolve the subdomain, so all the subdomains you want to create needs to exist on your public DNS provider.

For every resolve Let’s Encrypt is creating a cache file the .well-known folder in your webroot directory (C:\inetpub\wwwroot.well-known) This is to validate your permission for the certificate.

For my lab setup I’m using the following records:

Name Type Value
Access.skypedev.nl A 84.27.37.88
Dialin.skypedev.nl A 84.27.37.88
Lyncdiscover.skypedev.nl A 84.27.37.88
Meet.skypedev.nl A 84.27.37.88
Sip.skypedev.nl A 84.27.37.88
Skypeweb.skypedev.nl A 84.27.37.88

Request Certificate

Download the Let’s encrypt tool from here: Link Create a directory C:\Central_SSL Start your command prompt and go to the letsencrypt directory:

      .\letsencrypt.exe --san --centralsslstore C:\Central_SSL\ --accepttos

First time, enter your email address:  name@domain.com Choose for option:

      M

Enter a hostname, I’m using Access.skypedev.nl so this will be my common name. Now paste the list of subdomains you will need:

    Access.skypedev.nl,dialin.skypedev.nl,lyncdiscover.skypedev.nl,meet.skypedev.nl,sip.skypedev.nl,skypeweb.skypedev.nl

Enter a site path:

    C:\inetpub\wwwroot

Now you will be asked if you want to create a Scheduled Task, and if a special user must run this script.

Scheduled Task

Now look in the c:\Central_SSL folder and you will see all certificates. All certificates are the same only with a different name. Copy the access.skypedev.nl to the Edge Server and import certificate, below how to assign to IIS.

Assign Certificate to IIS

You only need to assign the certificate to your IIS

Click your IIS Server in IIS Manager

Click “Server Certificates”

On the right menu, choose “Import”

Go to the C:\Central_SSL directory and select the “Acces.Skypedev.nl”

There is no password on the file, Select “Web Hosting” from the certificate store and click “OK”

Now right click your “Default Web Site” and select “Bindings”

Click the 443 rule and click “Edit”

Selet the certificate from the list and click “Ok”

Now only reset your IIS and you’re ready to roll

Assign Certicate to Skype for Business Edge Server

Login to your Edge Server. Copy the PFX file to your desktop.

Now open your Skype for Business Deployment Wizard.

Go to “Install and Update Skype for Business Server System”

Click “Run Again” at Step 3 request, Install or Assign Certificates.

Click “Import Certificate”

Go to your path where you copied your certificate and click “Next”, “Next” “Finish”.

Now select your external Edge Certificate and click “Assign”

Click “Next” on the first screen, Now select your (external) certificate.

After selecting click “Next”, “Next”, Finish.

Open your Skype for Business Managemnt Shell and stop/start your Skype services.

Happy Skyping! :-)

If you have any suggestions or questions, please feel free to ask in the comments.


comments powered by Disqus