New to certs. hMail on Win10, working fine, renewing seems terrifying

1

Hello all.

Seasoned network engineer, Ill admit I’ve a bare-arsed baby’s knowledge on SSL certs though and am hoping for a bit of guidance on going through a cert renewal.

That said Im running hMail on a Windows 10 box, 4 domains hosting mail. No IIS, no webservers, just hMail.

I managed to get hMail up and running great. Using CTW, I was able to get my first letsencrypt certs for all 4 domains, and the wildcard sub for each for a total of 8 hosts (ie harmfamily.com and *.harmfamily.com) on the one certificate. I read this was the easiest and preferred method for this and so far it works great.

I used DNS auth via GoDaddy DNS API for authentication. The “acme” keys in DNS were created and I got a certificate.

For hMail to use these for SSL/TLS, I had to go find my actual cert file in C:\ProgramData\Certify\certes\assets\pfx, and then command line openssl to extract the certificate and key to .pem and .key files. I create a “certs” pair in hMail by giving it these 2 files and a name, “certs”. Lastly, these certs are bound to appropriate SMTP ports to handle the encryption of the mail.

Everything is working perfect at this point. However I’ve got my first 30 days are up soon, and CTW is set to autorenew. Here’s the questions:

  • I understand there is a CTW service running that will attempt to renew the certificate at this 30 day mark. Assuming it completes correctly, I’ve set it to deploy to Certificate Store only. Does this mean it will put a second, identical certificate (aside from a later expiration date) in the same path (C:\ProgramData\Certify\certes\assets\pfx), as well as in the mmc snapin for certificates, where I will see now 2 certificates, one expiring later than the other?

  • Knowing I had to manually extract the certificate.pem and private.key from my original certificate using command line openssl to make it work with hMail, do I NEED to do this again, then recreate a new “certs” with these new keys so hMail is updated, OR, will that first .pem/.key set still continue to function?

Nothing is changing on the server. No new or deleted domains, etc.

I think that’s all I’m looking for at the moment. I have read alot and just can’t find enough information that pertains to my situation that gives me confidence I won’t manage to screw this up somehow. Everything is working flawlessly but I have to get comfortable with this new-to-me certificate renewal process, and unt I get a few successes under my belt, I hope I can ask a few questions here and there.

Sorry for the War and Peace uncut edition, just wanted to provide enough background to help you help me. :). Not sure I succeeded, but I tried and I’m happy to clarify if needed. I’d be very grateful for any assistance and guidance, thanks all.

KMac

1 Like
2

Hi, glad you find it useful!

Yes, when renewal happens you will indeed have to update the .pem file and .key you are using.

You should check out the Scripting option (Show Advanced Options) and also check out other pem file questions on this forum such as this: Filezilla Server PS Script

The next major release (which will be in beta soon) will have new deployment options which export .pem/.key etc to the location of your choice, which will mostly remove the need for scripting.

3

My friend, CTW isnt just useful, its a godsend, eternal thanks for your generosity! On that note, perhaps there’s a donation PayPal or some other way to donate a few bucks in gratitude?

Thanks for the quick reply and guidance, very helpful. I will dig into the scripting to make that happen automatically. Looks like that filezilla thread will be helpful in that regard, thank you.

The aforementioned improvements sound fantastic and would be immensely helpful to me and many others I’m sure. Really looking forward to those features, and again, if there is somewhere I can donate a few bucks in gratitude, please point me in the right direction.

Thank you so much for the assistance, I’ll be back to report how it goes!

Have a great day!
H

4

Thanks! Regarding donations that’s much appreciated and if you would like to donate to Let’s Encrypt directly you can do so here: https://letsencrypt.org/donate/ as we couldn’t have this app without them.

Although most of our users use the free version of our app there are some who need to manage lots of certificates (they are almost always businesses) and that’s when our Professional and Enterprise versions come in useful, the current free version has a limit of 10 managed certificates.

5

I may be a little late, but this is what I ended up using.

# Summary: Receive the requested certificate path; extract the private key/public cert using OpenSSL; restart hMailServer.
# Make sure the working directory is OpenSSL
#

param($result)
# Set OpenSSL's binaries path here
cd "C:\ProgramData\Certify\openssl"

echo Name:  $result.ManagedItem.Name
echo -----------------------------------------------------------------
if($result.IsSuccess)
{
	echo Message:  $result.Message
	echo -----------------------------------------------------------------
	echo CertPath: $result.ManagedItem.CertificatePath
	echo -----------------------------------------------------------------
	$certFolder = [System.IO.Path]::GetDirectoryName($result.ManagedItem.CertificatePath)
	#$lastPfx = gci $certFolder\*.pfx | sort LastWriteTime | select -Last 1
	echo CertFolder: $certFolder
	echo -----------------------------------------------------------------
	.\openssl.exe pkcs12 -in ""$result.ManagedItem.CertificatePath"" -nocerts -nodes -passin pass: -out ""$certFolder\smtp.key"" 2>$null
	echo OpenSSL Key ExitCode: $LASTEXITCODE
	echo -----------------------------------------------------------------
	.\openssl.exe pkcs12 -in ""$result.ManagedItem.CertificatePath"" -chain -nokeys -nodes -passin pass: -out ""$certFolder\smtp.cer"" 2>$null
	echo OpenSSL Cert ExitCode: $LASTEXITCODE
	echo -----------------------------------------------------------------
	net stop hMailServer
	net start hMailServer
}
else
{
	echo 'Failed...'
	echo $result.Message
	echo -----------------------------------------------------------------
}

I ended up using HTTP-01 authentication with an Apache server that I was already running on port 80 of the same machine. I just made a virtual host with the same hostname as the mail server.

Your DNS auth setup sounds a lot more complicated in comparison, so good job if you got automation on that part going.

6

No worries, I already contributed to letsencrypt so Ill thank you again for your contribution, I really appreciate it!!

?

7

This is very helpful, thank you so much for this! Never too late to be awesome! :smile:

Ill check back in with a rousing success, or possibly a few more Q’s, sincere thanks all for your help and kindness!

8

Took a bit to get around to setting this up, but your script was brilliant, just what the Doc ordered, eternal thanks! Modded a few of the openssl parameters that worked in my previous manual extractions, set it up as a successful post-success process and it did exactly as you indicated, first time.

Super happy this worked out so well, thanks to you, webprofusion, and all the others who make this rather complex and necessary task so smooth. Feels good to have it setup and on autopilot. Nice touch restarting the server too.

Thanks again gang, fully understand the whole process now and feeling confident about this now, couldn’t have done it without you.

K

p.s. the DNS auth is a bit funky but not too complicated once you wrap your head around it. For DNS, most large hosting aces have a DNS API you can access, and they’ll generate you a DNS API Key with secret. Entered into CTW, it knows how to use this credential to then directly access your DNS records and can write to them. CTW and letsencrypt talk and get a unique string to write to your domains DNS TXT record. It does this for each domain listed, then confirms each has been written, and if successful, it proves you’re the owner of the domains you want a cert chan for and a cert is issued. The script runs and voila, new extracted .pen and .key, new cert, in the MS cert store, and server restarted. I don’t run any web services so no http to auth with.

Anyhow, just a different way to prove its your domain. Thanks again for your help on this!

1 Like
9