Options for Server 2008 R2

Good day everyone,
I’ll apologies in advance if this has already been covered.
I have a client whose recently become aware they are going to be affected by need to have Acme V2 certs and tried to update their installed version of Certify the Web but due to their server running Windows 2008 R2 they cannot install the version of .net framework the newest version requires.
So I got thinking that maybe there is an older version between the 3.0.11 they currently have and the latest one that will work with Server 2008 R2 and still issue ACME 2 certs.

You will need at least 2008 R2 SP1 to be able to install .net 4.6.2 or higher. Unfortunately your only options are:

  • Move to a newer OS version
  • or, use a different tool
  • or, put a reverse proxy (nginx, IIS, Cloudflare (free)) in front of the server so that internet traffic connections to https on the proxy, which then requests from the backend. This is the safest method if you intend to keep the 2008 server running as it’s no longer supported by Microsoft, so it may no longer be being patched.

Ah I didn’t think was going to be as easy as using an older version of CTW. I’m working on convincing them to replace their server at the moment, it’s quiet old.
Any suggests on a different tool? I’m looking at possibly using WinACME at the moment but its throwing an error when I go to run it. I’m open to suggestions for other tools as well.
Any personal preference between the suggestions for a reverse proxy?

Here’s another angle for you all. This client has a second Server that is running Server 2012 and shouldn’t have any issues getting the updated version of Let’s CTW installed. Would this be a suitable work around for this clients situation or does the CTW client need to be on the same server as the Exchange server?

You could use DNS validation to request the cert on any machine, then using Show Advanced Options > Scripting (or a Certify The Web v5 Deployment Task) to script the certificate copy, install and associate with MS Exchange on the other machine. Depends on your powershell skills!

With v5 (beta) If you can configure exchange to use Centralised Certificate Store you could just use the CCS deployment task for that, so you can impersonate the required network user etc.

For reverse proxy I use Cloudflare (free) but you need to move all your DNS for that domain for that to work. For old servers you really need to reverse proxy them if you can because they’re just not safe on the internet (and may even still be vulnerable when proxied if they lack a security patch).