Help with installing certificate

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
planck
New user
New user
Posts: 15
Joined: 2016-07-02 13:05

Help with installing certificate

Post by planck » 2020-03-24 18:07

Hello,

I have tried numerous times to install a certificate on hMailServer but they have been unsuccessful.

On the last attempt, I was getting:

Error: use_certificate_file: no start line

Anyway, I'm willing to pay for someone to do it.

Please pm me if interested.

Thanks
Alex

User avatar
mattg
Moderator
Moderator
Posts: 20786
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help with installing certificate

Post by mattg » 2020-03-25 04:11

your certificate if viewed in a text editor should show something like

Code: Select all

-----BEGIN CERTIFICATE-----
LOTS OF LETTERS AND NUMBERS
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
LOTS OF LETTERS AND NUMBERS
-----END CERTIFICATE-----

It needs to have the words 'begin certificate' with the hyphens etc
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

planck
New user
New user
Posts: 15
Joined: 2016-07-02 13:05

Re: Help with installing certificate

Post by planck » 2020-03-31 23:16

Hello,

Yes, the certificate was starting with:

-----BEGIN CERTIFICATE-----

Anyway. I have gotten some progress. I created a certificate from CloudFlare, used public and private key.

SSL now works, but I get this message on email clients:

"CloudFlare origin certificate is not trusted"

Is this specifically because it's a Cloudflare certificate?

Can I buy a certificate from any provider, for example NameCheap, and use it for hmailserver?

Thanks
Alex

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: Help with installing certificate

Post by Virinum » 2020-04-01 07:27

I think you used the certificate from cloudflare which is used when you use cloudflare in proxy-mode. It's just meant for your webserver. So Cloudflare can be sure it’s your server when it’s connecting to your webserver. For mailserver (or any other purpose) it’s not a good choice because it’s not trusted anywhere.

Try to start with something like https://www.sslforfree.com/

It’s using letsencrypt in the background which provides free and trusted certificates (but just valid vor 90 days).

If that works, you can switch to something like https://www.win-acme.com/ (which I also use) to automate to process of renewing the certificate so you don’t have to do it every 90 days manually.

If you need help with that, I can write a little manual. Or you search in this forum. Others already provided some manuals for enabling SSL/TLS with letsencrypt.

planck
New user
New user
Posts: 15
Joined: 2016-07-02 13:05

Re: Help with installing certificate

Post by planck » 2020-04-02 14:50

Virinum wrote:
2020-04-01 07:27
I think you used the certificate from cloudflare which is used when you use cloudflare in proxy-mode. It's just meant for your webserver. So Cloudflare can be sure it’s your server when it’s connecting to your webserver. For mailserver (or any other purpose) it’s not a good choice because it’s not trusted anywhere.

Try to start with something like https://www.sslforfree.com/

It’s using letsencrypt in the background which provides free and trusted certificates (but just valid vor 90 days).

If that works, you can switch to something like https://www.win-acme.com/ (which I also use) to automate to process of renewing the certificate so you don’t have to do it every 90 days manually.

If you need help with that, I can write a little manual. Or you search in this forum. Others already provided some manuals for enabling SSL/TLS with letsencrypt.
Hey.

This saved it. At last, I installed certificate on hMailServer and works perfectly.

For anyone struggling with this, it's really easy:
  • Get an certificate on https://www.sslforfree.com/ but for your mail server subdomain, for example mail.mydomain.com. (NOT mydomain.com)
. You'll have to go though a verification process but it's easy. I choose the DNS verification, it's just adding a TXT entry on your domain dns.
  • After you have the certificate generated, you'll get a certificate public key, and a private key. Save public key on your Windows server on a mail.my.domain.cer file (just copy paste it) and the private key on a mail.my.domain.pem file
. So you have two files in there.
  • Go to hMailServer, Settings/Advanced/SSL Certificates. Choose any name for your certificate. For certificate file, choose the .cer file , and for private key file choose the .pem file
  • Goto email Settings/Advanced/TCP-IP ports. Enable the Connection security for the services that required. Typically it's IMAP on 143 with STARTTSL (optional) and SMTP 587 with SSL/TLS. Also, to work ok iPhone with default settings, if doesn't exist create a new TCP-IP port 993 (IMAP) and choose SSL/TSL for that port
That's it. takes 10 mins.

Since it works, I'll also use https://www.win-acme.com/ so that certificates review automatically.

Thanks Virinum!

Thanks
Alex

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: Help with installing certificate

Post by Virinum » 2020-04-02 16:13

I'm glad I could help.

Let me add a few thing:
planck wrote:
2020-04-02 14:50
After you have the certificate generated, you'll get a certificate public key, and a private key.
You get a certificate, not just a public key. So you get a certificate, an intermediate certificate and a private key.

Your certificate file sould include the intermediate certificate (to have the chain complete). E.g. use xxxx-chain.pem in win-acme as certificate file.

The content of the file should look like this:

Code: Select all

-----BEGIN CERTIFICATE-----
[certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[intermediate certificate]
-----END CERTIFICATE-----
Also be aware that hMailServer doesn't notice the certificate file changes (when renewing). After renewing hMailServer has to restart to load the new files. E.g. with restarting the service:

Code: Select all

net stop hMailServer
net start hMailServer
or with a .vbs file:

Code: Select all

Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate([USERNAME], [PASSWORD])
oApp.Reinitialize

RDA
New user
New user
Posts: 3
Joined: 2020-05-16 12:12

Re: Help with installing certificate

Post by RDA » 2020-05-23 18:28

Hello Alex

could you please show me how to do this bit please ?

"
Since it works, I'll also use https://www.win-acme.com/ so that certificates review automatically."


Thank you
RDA

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: Help with installing certificate

Post by palinka » 2020-05-23 19:45

RDA wrote:
2020-05-23 18:28
Hello Alex

could you please show me how to do this bit please ?

"
Since it works, I'll also use https://www.win-acme.com/ so that certificates review automatically."


Thank you
RDA
https://www.hmailserver.com/forum/viewt ... 21&t=32593
https://www.hmailserver.com/forum/viewt ... 21&t=34386

There are others also in the tutorial section.

RDA
New user
New user
Posts: 3
Joined: 2020-05-16 12:12

Re: Help with installing certificate

Post by RDA » 2020-05-25 18:57

@palinka ....Thank you.

Post Reply