We’ve just posted a free PowerShell script to automate the SSL / TLS certificate renewal for hMailServer that’s compatible with Certify The Web.
Cool! Future versions of Certify The Web will have an option to export various cert formats which would remove the need to script the .pem/.crt via openssl. It would be interesting to know if you really need to invoke the COM API or if it just copies the file to specific place and restarts the service (perhaps some other config is set?)
Great idea! I just had a quick look and hMailServer does have an INI file but it’s very basic and it seems that the actual configuration is stored in an SQL database and, unfortunately, we have no in-house experience / expertise with that.
I’ve had a further look into this and, according to https://www.hmailserver.com/documentation/v5.4/?page=howto_connect_to_mssql, the SQL database (file “C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf”) is encrypted and the key / password can only be obtained using the administrator password so we’d still need to get that from the user.
In any case, I’ve verified that the SDF file does indeed contain the configuration (including for certificates) and that SQL insert queries are reflected in the hMailServer Administrator console.
Hi, Guys: Great Job. I’m already using the script from @benhooperastrix to install SSL from Let’s Encrypt with Certify The Web on HmailServer. The script works like a charm, but i found a problem and it is that the crt file does not include the full CA chain, so, the cert did not pass an SSL check like https://www.checktls.com/TestReceiver.
To solve the problem i added the full chain certs to the .crt file below the actual cert, restart hmailserver and all done, but i would like to ask how can we get the full chain .crt file from Certify The Web? i had to copy them from file from a linux server that works with certbot.
If the full CA chain crt file is available, it will be easy to modify the script to add both txt fles on just one file.
In making my own post-script for Certify, I ran into the same issue and found that I was using the wrong flags for OpenSSL.
I won’t guarantee accuracy, but I believe that in the following line:
-chain and it should include what is necessary for clients to trace the certificate chain up to a trusted root.
For example, this is what worked in my own script:
.\openssl.exe pkcs12 -in ""$result.ManagedItem.CertificatePath"" -chain -nokeys -nodes -passin pass: -out ""$certFolder\smtp.cer"" 2>$null
Thanks for the feedback - you’ve made a very good point.
I have made that change, re-code-signed the script, uploaded it to GitHub, and updated the blog links.