I was having trouble getting the included scripts to work with Exchange today and after a few hours and many retries I was finally able to get everything working after making some adjustments to the scripts and commands. I wanted to share this information, and ask that it be considered for review and possible adjustments to the existing scripts and wiki.

The first adjustment I needed to make was this https://github.com/PKISharp/win-acme/blob/634d3f4137364524b2f852fec462e097a6981043/letsencrypt-win-simple/Scripts/ImportExchange.ps1#L94 needed to be changed to:

FileName = $StorePath

Then I made a new file called ./Scripts/PSExchange.bat containing the following:

powershell.exe -ExecutionPolicy Bypass -File ./Scripts/ImportExchange.ps1 %2 IIS,SMTP,IMAP,POP 1 %1 %3

It is important that IIS is included in the services being set above because that makes sure that Exchange is using the new cert for MAPI and Autodiscover (which is what lets local Outlook clients connect to Exchange) and the IIS plugin alone doesn't seem to get the job done for Exchange. Also, for whatever reason I had trouble passing the services as a parameter in --scriptparameters but it worked fine when I included it directly in the bat file above. Also I am using Bypass for the ExecutionPolicy because RemoteSigned doesn't work with the included scripts since they are not signed, and Unrestricted would result in the bat file timing out trying to run the Powershell script for me because it was prompting to Run Once but not receiving a response. Bypass seems to work without issue.

Lastly the command I used to run everything was this:

letsencrypt.exe --plugin manual --manualhost mail.example.com,autodiscover.example.com --validation selfhosting --installation iis,manual --installationsiteid 1 --script "./Scripts/PSExchange.bat" --scriptparameters "{0} {5} {2}"

Note that we're passing {2} which is the full path and filename of the pfx to the powershell script which is why the first change was necessary. Also we're not using a Central SSL store for this (I tried but had no luck getting that to work).

I hope this information is helpful to some others and the things I described above make sense and could be considered for adjustments to the scripts included in win-acme.