SSL Certificate Symbolic link path issue

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
cshawky
New user
New user
Posts: 21
Joined: 2020-04-11 09:50
Location: Sydney

SSL Certificate Symbolic link path issue

Post by cshawky » 2022-06-15 17:15

Hi
Every 3 months I find my certificate expires. But it hasn't. The certificate has been updated but hMailServer is using the old certificate.
What I have observed is that CertBot uses symbolic links to link a common certificate file name to the latest of archived certificates. hMailServer is linking to the archived certificate file instead of the file currently linked.
Windows Server 2016
Latest certificate resides in:
C:\CertBot\live\{domainname}\fullchain.pem
Windows shows the file type as .symlink
The above file is a symbolically linked to
C:\CertBot\archive\{domainname}\fullchanX.pem
where X increases on each 3 month renewal of the certificate.

This month the latest certificate X=6, but hMailServer file path for the certificate is C:\Certbot\archive\shawky.com.au\fullchain5.pem

If I use "..." to navigate and select C:\CertBot\archive\{domainname}\fullchanX.pem the path C:\Certbot\archive\shawky.com.au\fullchainX.pem is displayed.

i.e. hMailServer is tracking the Windows symbolic link instead of using the file linked to the symbol.

Please provide an improvement to support this setup.

Thanks
kind regards
Shawky

User avatar
SorenR
Senior user
Senior user
Posts: 5442
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificate Symbolic link path issue

Post by SorenR » 2022-06-15 17:43

cshawky wrote:
2022-06-15 17:15
Hi
Every 3 months I find my certificate expires. But it hasn't. The certificate has been updated but hMailServer is using the old certificate.
What I have observed is that CertBot uses symbolic links to link a common certificate file name to the latest of archived certificates. hMailServer is linking to the archived certificate file instead of the file currently linked.
Windows Server 2016
Latest certificate resides in:
C:\CertBot\live\{domainname}\fullchain.pem
Windows shows the file type as .symlink
The above file is a symbolically linked to
C:\CertBot\archive\{domainname}\fullchanX.pem
where X increases on each 3 month renewal of the certificate.

This month the latest certificate X=6, but hMailServer file path for the certificate is C:\Certbot\archive\shawky.com.au\fullchain5.pem

If I use "..." to navigate and select C:\CertBot\archive\{domainname}\fullchanX.pem the path C:\Certbot\archive\shawky.com.au\fullchainX.pem is displayed.

i.e. hMailServer is tracking the Windows symbolic link instead of using the file linked to the symbol.

Please provide an improvement to support this setup.

Thanks
I could probably name 30 people here using LetsEncrypt certificates - myself included. Go to hMailAdmin, click on Status, click on "Pause", click on "Resume" ... hMailServer will reload the new certificate.

Most of us renew certificates every 20'ish day as chances are that Windows gets updated and reboots.

If automatic updates are off then you can use the API to schedule a script (vbscript, jscript or PowerShell script) to do the "pause/resume" thing.

Perhaps YOU could code hmailserver to monitor the certificate folder and do the "pause/resume" thing - and then share the code with the rest of us ?

If you really, really, pretty please want this implemented, you could make a formal request on GitHub ...

https://github.com/hmailserver/hmailserver/issues/new
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
cshawky
New user
New user
Posts: 21
Joined: 2020-04-11 09:50
Location: Sydney

Re: SSL Certificate Symbolic link path issue

Post by cshawky » 2022-06-15 17:51

I restart hMailServer weekly via script. I stop hMailServer service whilst running the script to update the certificate again via a script. Hmm. I will investigate further.
kind regards
Shawky

User avatar
SorenR
Senior user
Senior user
Posts: 5442
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificate Symbolic link path issue

Post by SorenR » 2022-06-15 18:27

cshawky wrote:
2022-06-15 17:51
I restart hMailServer weekly via script. I stop hMailServer service whilst running the script to update the certificate again via a script. Hmm. I will investigate further.
First thing I would do is dump the symlink, it has never worked on Windows like it does on 'Nix. Period!
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

palinka
Senior user
Senior user
Posts: 3588
Joined: 2017-09-12 17:57

Re: SSL Certificate Symbolic link path issue

Post by palinka » 2022-06-15 21:56

I use winacme, not certbot, but winacme can export certificates, so my renewal script exports them with the same name and the old ones get over written. Maybe there's a similar export option in certbot?

User avatar
mattg
Moderator
Moderator
Posts: 21972
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Certificate Symbolic link path issue

Post by mattg » 2022-06-16 03:22

cshawky wrote:
2022-06-15 17:15
... hMailServer file path for the certificate is C:\Certbot\archive\shawky.com.au\fullchain5.pem
I use certbot on my Ubuntu webserver, and point my hmailserver to the \\UNC_path_to_ubuntu\certbot\live\example.com\fullchain.pem

And it works fine

can you free type the 'live' location into hMailserver?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
cshawky
New user
New user
Posts: 21
Joined: 2020-04-11 09:50
Location: Sydney

Re: SSL Certificate Symbolic link path issue

Post by cshawky » 2022-06-16 13:16

I'm on Windows 2016. I'll try that. The selection dialogue resolves the symbolic link. At present last restart it started with the live link but later on switches back to the target file path.
The simplest solution for me is to add a couple of extra lines of code to the powershell script managing Certbot and simply copy the latest certificate files to a "cache" location and avoid the sh...
kind regards
Shawky

User avatar
cshawky
New user
New user
Posts: 21
Joined: 2020-04-11 09:50
Location: Sydney

Re: SSL Certificate Symbolic link path issue

Post by cshawky » 2022-06-16 15:58

Upgrading Certbot from 1.16 to 1.24 for starters...
kind regards
Shawky

User avatar
cshawky
New user
New user
Posts: 21
Joined: 2020-04-11 09:50
Location: Sydney

Re: SSL Certificate Symbolic link path issue

Post by cshawky » 2022-07-03 09:51

I typed the path in manually rather than using the selection dialogue and that resolved the issue. Thanks
kind regards
Shawky

Post Reply