Were you previously running the Certify background service under a user other than Local System?
By default the background service runs as Local System, this means it doesn’t have any permission for network access (such as file copying or remote scripting). This is the only supported configuration.
To get your script to you should be able to edit the Deployment Task (Scripting moved to Deployment > Deployment Tasks in the most recent version and will be moving to it’s own Tasks tab in the next release). The deployment task has parameters for things like saved network credentials.
Assuming you have a working certificate, try a simpler script that just copies the file to see if that works for you (you could alternatively try the CCS Export script which basically does the same thing). As an aside you could also investigate using the Central Certificate Store method of sourcing your certificate for Exchange.
On another thread a user had trouble getting export to work to another machine on their domain and this was fixed by changing our LogonType that we use when impersonating network users. Perhaps you could try the same fix? Export certificate to network/UNC path failed
As an aside, please don’t cross-post your issue in several places, this just bumps conversation threads and doesn’t result in more assistance being offered.
You should add some logging to your script, e.g. write output of commands to a text file. This will help troubleshooting…
For remote PS access you need to have add the remote servers to the trustedhosts setting. Check if the remote serves are listed here, or a * for any remote server: Get-Item WSMan:\localhost\Client\TrustedHosts
I use the following for authentication type for a new PS session, gave me less problems : -Authentication Negotiate
Check the WinRM config on the remote Exchange servers…
Did you ran any other updates when installing the new Certify? Updated .NET? Might be security related?
I’m preparing an update that uses a different authentication setting for powershell scripting, so that will be available to test soon and might help in this case.
I hadn’t implemented LE certificates for mail yet, untill yesterday. Found out I needed to enable CredSSP to remotely assign certificates to services.
It also possible you need to create and assign a admin role to the remote user within exchange, with Exchange Server Certificates role added.
I was actually able to get it to work by changing:
-FileData ([Byte[]]$(Get-Content -Path \domain.com\share\exchange-cert.pfx -Encoding byte -ReadCount 0))
to use certificate hash.
My main problem is, IIS certificate doesnt update for exchange backend on every server. Is there a way to automate this process?
I don’t know much about running multiple exchange servers myself but for IIS you should look into using Central Certificate Store - there is a CCS deployment task for this. That way the latest cert is picked up by interested servers by using a shared UNC path, or deployment to multiple paths.
Hello, i had everything working but lately, it is giving me this error: the certificate with thumbprint was found but is not valid for use with Exchange Server. What could be the issue?
Looks like windows did an update and now certificates will not work unless they have a pfx password. Incase anyone is having issues, simply add a password to the certificate and it will work fine.
: