We’ve just posted a free PowerShell script to automate the SSL / TLS certificate renewal for hMailServer that’s compatible with Certify The Web.
Cool! Future versions of Certify The Web will have an option to export various cert formats which would remove the need to script the .pem/.crt via openssl. It would be interesting to know if you really need to invoke the COM API or if it just copies the file to specific place and restarts the service (perhaps some other config is set?)
Great idea! I just had a quick look and hMailServer does have an INI file but it’s very basic and it seems that the actual configuration is stored in an SQL database and, unfortunately, we have no in-house experience / expertise with that.
I’ve had a further look into this and, according to https://www.hmailserver.com/documentation/v5.4/?page=howto_connect_to_mssql, the SQL database (file “C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf”) is encrypted and the key / password can only be obtained using the administrator password so we’d still need to get that from the user.
In any case, I’ve verified that the SDF file does indeed contain the configuration (including for certificates) and that SQL insert queries are reflected in the hMailServer Administrator console.
Hi, Guys: Great Job. I’m already using the script from @benhooperastrix to install SSL from Let’s Encrypt with Certify The Web on HmailServer. The script works like a charm, but i found a problem and it is that the crt file does not include the full CA chain, so, the cert did not pass an SSL check like https://www.checktls.com/TestReceiver.
To solve the problem i added the full chain certs to the .crt file below the actual cert, restart hmailserver and all done, but i would like to ask how can we get the full chain .crt file from Certify The Web? i had to copy them from file from a linux server that works with certbot.
If the full CA chain crt file is available, it will be easy to modify the script to add both txt fles on just one file.
In making my own post-script for Certify, I ran into the same issue and found that I was using the wrong flags for OpenSSL.
I won’t guarantee accuracy, but I believe that in the following line:
-chain and it should include what is necessary for clients to trace the certificate chain up to a trusted root.
For example, this is what worked in my own script:
.\openssl.exe pkcs12 -in ""$result.ManagedItem.CertificatePath"" -chain -nokeys -nodes -passin pass: -out ""$certFolder\smtp.cer"" 2>$null
Thanks for the feedback - you’ve made a very good point.
I have made that change, re-code-signed the script, uploaded it to GitHub, and updated the blog links.
Can someone help me install this program on Windows Server 2016? I would really appreciate any help.
First of all I do not have the keys folder and SSL / TLS folder in the BIN folder of the hMailserver program. So I have to create these folders?
2: Do I have to install all the programs that are in the github download file? I remember it has 4 or 5 different files which one should be installed? In which folder should this power shell script be installed?
3: Can I use the same address as the hmailserver program and the Roundcube webmail address even though I use this program?
Could anyone in this community be so friendly that someone would install this program for me on my Windows server via RDP? If necessary, I can provide the server’s IP address and password if anyone wants to help in this way. I can pay the financial compensation.
In answer to your questions:
- Yes, you’ll need to create a folder somewhere to store the script, certificates, etc. It can be anywhere.
- No, just whatever is the latest version.
- Sorry, I’m not sure what you mean by that.
I wouldn’t let anyone remote into your server if I were you.
Roundcube is a php webmail portal, correct? Meaning you’re running something like Apache or something to serve it. In that case, you just need to point Certify to the www-root folder on the file system so it can place the HTTP-01 challenge files. Or if you don’t have it set up like that, a virtual folder for
.well-known and point Certify at the parent folder. (I think)
And, I agree that you shouldn’t give random people RDP access to a server… or even have RDP exposed to the Internet.