One of the great joys of Let'sEncrypt certificates for Microsoft Exchange servers is the ability to automatically renew and install them, using some form of ACME client. But things can go wrong, especially when debugging the installation process.
We recently set up Let'sEncrypt for a client who was using the 2010 version of Exchange (MSX) [EoL of course but costly to replace...] and started getting errors in the NT Eventlogs like this:
Log Name: Application
Source: System.ServiceModel 3.0.0.0
Description:
WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/48433499
Exception: System.ServiceModel.ServiceActivationException: The service '/Autodiscover/autodiscover.xml' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme https. There can be at most one address per scheme in this collection.
This translates as the script has inadvertently added instances of the https certificate to 'n' new https binding in IIS, where 'n' equals the number of FQDNs in the SAN (Subject Alternative Names) filed of the certificate. As MSX certificates generally have 3 or more FQDNs, the script had created additional https bindings with SNIs to match the FQDNs.
So the image above shows what goes wrong, with five SNI bindings having been added on top of the existing two https bindings. The fix is to delete the new SNI bindings and edit the script to just add the certificate to the existing https bindings.
Then everything works fine with no errors being logged.