HCD - SSL-Simplification with Letsencrypt

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-06 18:10

Ok, the Subject says it all.
Setting up SSL for Mailservers simply sucks (not only for hMailServer).
Newbies get lost int the process and you need to install extra Software, bitching with Webservers and Firewall settings just to make sure
your SMTP 2 SMTP Server transmissions are encrypted.

I think we can do this a lot better if we implement Letsencrypts ACME Protocol into hMailServers core code so it can automatically request new certificates or renew existing ones on its own. This doesn't mean the user has to use Letsencrypt SSL-Certificates but this should be the default for any new Domain so even hMailServer Newbies can enable SSL-Encryption without Drama or any costs out of the box.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-06 22:57

Dravion wrote:
2019-06-06 18:10
Ok, the Subject says it all.
Setting up SSL for Mailservers simply sucks (not only for hMailServer).
Newbies get lost int the process and you need to install extra Software, bitching with Webservers and Firewall settings just to make sure
your SMTP 2 SMTP Server transmissions are encrypted.

I think we can do this a lot better if we implement Letsencrypts ACME Protocol into hMailServers core code so it can automatically request new certificates or renew existing ones on its own. This doesn't mean the user has to use Letsencrypt SSL-Certificates but this should be the default for any new Domain so even hMailServer Newbies can enable SSL-Encryption without Drama or any costs out of the box.
I use https://github.com/Neilpang/acme.sh on my NAS (BusyBox) to generate certificates. Just Putty in, log on, execute acme.sh with proper parameters, copy certificates to hMailServer, reboot hMailServer.

No need to script, I have a txt-file with procedure if I forget :roll: and it only takes 2 minutes every 3 months. :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 00:32

Thats not the point.
I can do it myself without any Problems and need no help doing it.
We talking about making it a Feature of hMailServer HCD so it becomes a builtin feature.
A normal Windows user doesnt know what SSH or Putty or ACME even means.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-06-07 12:28

Great idea. Validation could be an issue if Apache or iis are working on the same machine. Can letsencrypt validate on alternate ports? Like 81 or 8081?

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-07 13:46

palinka wrote:
2019-06-07 12:28
Great idea. Validation could be an issue if Apache or iis are working on the same machine. Can letsencrypt validate on alternate ports? Like 81 or 8081?
Letsencrypt support ACME V2 so you name it, they do it.

Letsencrypt lists 39 client implementations of the ACME v2 protocol.

There is a "standalone" option for the one I use, if you do not have your own webserver, port 80 (or 443) must be free and it is all contained in the "acme.sh" implementation I use. There is a parameter "--httpport" where you should be able to change which port to use...

In principle hMailServer could contain an embedded http connector on a non-standard port for Letsencrypt to use to validate keys and thus build it's own certificates "on the fly".

OR

The certificate process could be a stand-alone module controlled by hMailServer and scheduled by Windows. There could be an ACME v2 (current) and later an ACME v3 (or whatever) so the certification process can be upgraded/changed independently from hMailServer
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 14:00

SorenR wrote:
2019-06-07 13:46
palinka wrote:
2019-06-07 12:28
Great idea. Validation could be an issue if Apache or iis are working on the same machine. Can letsencrypt validate on alternate ports? Like 81 or 8081?
Letsencrypt support ACME V2 so you name it, they do it.

Letsencrypt lists 39 client implementations of the ACME v2 protocol.

There is a "standalone" option for the one I use, if you do not have your own webserver, port 80 (or 443) must be free and it is all contained in the "acme.sh" implementation I use. There is a parameter "--httpport" where you should be able to change which port to use...
Looks like this port option is only for reverse proxy stuff
Verification is always on port 80 (or 443 for tls 01)
Httpport is used when you have a reverse proxy infront of acme.sh that receives the validation on port 80 and then internally sends to another.
https://github.com/Neilpang/acme.sh/issues/1230


It would be possible for hMailServer.exe to open a port 80 or 443 for ACME v2 Protocol exchange but if a Apache2, IIS, NGINX or any other HTTP-Server occupies
the port already it will fail.

However: Apache2 mod_md allows ACME v2 certificate handling while Apache2 is running and without need to stop
Summary
This module manages common properties of domains for one or more virtual hosts. Specifically it can use the ACME protocol (RFC Draft) to automate certificate provisioning.
https://httpd.apache.org/docs/trunk/mod/mod_md.html

This could be a pointer how we can make it work.
If mod_md is not an option, maybe we can fork it, rip all non ACME v2 related code from it and built our own hMailServer Apache2 Module from it
which Apache2 can load at startup and manages all Letsencrypt SSL-Certificates things we need.

Usage looks pretty straight forward

Code: Select all

MDomain example.org <----

<VirtualHost *:443>
    ServerName example.org
    ServerAlias www.example.org
    DocumentRoot htdocs/root

    SSLEngine on
</VirtualHost>

MDomain example2.org auto <----

<VirtualHost *:443>
    ServerName example2.org
    ServerAlias www.example2.org
    ...
</VirtualHost>
Last edited by Dravion on 2019-06-07 14:14, edited 1 time in total.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-07 14:13

ACME v2 is now an IETF standard..

https://tools.ietf.org/html/rfc8555

The alternative is DNS challenge...
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 14:53

SorenR wrote:
2019-06-07 14:13
ACME v2 is now an IETF standard..

https://tools.ietf.org/html/rfc8555

The alternative is DNS challenge...
Yes. It allows SAN and Wildcard Certificates with up to 100 Common names in 1 single SSL-Certificate
for example: smtp.domain.com, www.domain.com, xyz.domain.com ect.

Apaches mod_md already supports ACME v2. I think it is used widely by CPanel and other Webhosting Webinterfaces under the hood to handle
Letsencrypt SSL stuff.

I just checked the Apache HTTP-Server official Github Repo https://github.com/apache/httpd
The ACME v2 Module is already a default module and part of the normal Apache2.4 (and later) build process (if you compile Apache, you
automatically get mod_md as well) regardless if you built a 64-Bit or 32-Bit version. I just checked my Apache2.4 64-Bit version for Windows
and viola, it was there: C:\Program Files\Apache24\modules\mod_md.so but its NOT enabled by default in httpd.conf. It needs
to be enabled with LoadModule md_module modules/mod_md.so. I just enabled it and it starts without any Problems.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 17:15

Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-07 17:35

Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 23:39

SorenR wrote:
2019-06-07 17:35
Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
you want to issue an SSL-Certificate? This is a mandatory step and if it fail your wont get your SSL-Certificate signed. Maybe you can use Port forwarding and some sort of DynDNS Service.

Can you attach your Synology SSL-Certificate (the *.crt file) without its secrect private key?

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-08 00:15

I'm on a residential DSL line behind a Sagem box...

I have mapped port 80 and 443 to the Apache server on my Synology (old version WITHOUT ACME pre-installed) and port 25, 465 and 993 to my Windows server with hMailServer.

I have Fixed IP and an external DNS provider (ChangeIP.com) who also service DynIP.

As mentioned earlier, I use Putty, log on as admin, change to my homedir and type: ./acme.sh --renew -w /volume1/web -d mx.domain.tld

Code: Select all

admin - /volume1/homes/admin ./acme.sh  --renew  -w /volume1/web  -d mx.domain.tld
[Sat Jun  8 00:07:10 CEST 2019] Renew: 'mx.domain.tld'
[Sat Jun  8 00:07:11 CEST 2019] Single domain='mx.domain.tld'
[Sat Jun  8 00:07:11 CEST 2019] Getting domain auth token for each domain
[Sat Jun  8 00:07:11 CEST 2019] Getting webroot for domain='mx.domain.tld'
[Sat Jun  8 00:07:11 CEST 2019] Getting new-authz for domain='mx.domain.tld'
[Sat Jun  8 00:07:13 CEST 2019] The new-authz request is ok.
[Sat Jun  8 00:07:13 CEST 2019] Verifying:mx.domain.tld
[Sat Jun  8 00:07:20 CEST 2019] Success
[Sat Jun  8 00:07:20 CEST 2019] Verify finished, start to sign.
[Sat Jun  8 00:07:22 CEST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgISA2EvkxKTBtRNYkphaa1wzPt6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
--- bla bla bla ---
--- bla bla bla ---
--- bla bla bla ---
wLTa27JMC/fOvVYc81T9bamr4FZthgtyA0bhXf6C1jSKW8xB3nLfpyC5vQY9hixE
KkhN+QT3Tv92cgbK2t8xw3Dl
-----END CERTIFICATE-----
[Sat Jun  8 00:07:22 CEST 2019] Your cert is in  /var/services/homes/admin/.acme.sh/mx.domain.tld/mx.domain.tld.cer
[Sat Jun  8 00:07:22 CEST 2019] Your cert key is in  /var/services/homes/admin/.acme.sh/mx.domain.tld/mx.domain.tld.key
[Sat Jun  8 00:07:23 CEST 2019] The intermediate CA cert is in  /var/services/homes/admin/.acme.sh/mx.domain.tld/ca.cer
[Sat Jun  8 00:07:23 CEST 2019] And the full chain certs is there:  /var/services/homes/admin/.acme.sh/mx.domain.tld/fullchain.cer
admin - /volume1/homes/admin
That's it ... I have to manually import the certificate to the Synology box via the gui and copy the certificate to my hMailServer ... I probably could script it but 5 minutes every 3 months ... Nah ... :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-06-08 01:33

Dravion wrote:
2019-06-07 23:39
SorenR wrote:
2019-06-07 17:35
Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
you want to issue an SSL-Certificate? This is a mandatory step and if it fail your wont get your SSL-Certificate signed. Maybe you can use Port forwarding and some sort of DynDNS Service.

Can you attach your Synology SSL-Certificate (the *.crt file) without its secrect private key?
I'm on a dynamic residential IP and my dns host provides an app for automatic IP checking/updating. Anyone using hmailserver is going to have to open ports. I don't see a problem with user opening port 80/443.

If they also run Apache, there's a tutorial for automated letsencrypt certificate generation/renewal. :mrgreen:

User avatar
jim.bus
Senior user
Senior user
Posts: 1568
Joined: 2011-05-28 11:49
Location: US

Re: HCD - SSL-Simplification with Letsencrypt

Post by jim.bus » 2019-07-31 12:21

Dravion wrote:
2019-06-07 23:39
SorenR wrote:
2019-06-07 17:35
Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
you want to issue an SSL-Certificate? This is a mandatory step and if it fail your wont get your SSL-Certificate signed. Maybe you can use Port forwarding and some sort of DynDNS Service.

Can you attach your Synology SSL-Certificate (the *.crt file) without its secrect private key?
I don't know if this is relevant but I get my Let's Encrypt Certificates for use with hMailServer from my Synology NAS. I am now using Static IP for my Local Network but I used Dynamic IP for a long time and while I was also using Let's Encrypt Certificates. My procedure was to Export the Synology Let's Encrypt Certificate and then use the cert.pem for the hMailServer Certificate File and the privkey.pem for the hMailServer Private key file. The Let's Encrypt Certificate Request Utility on my Synology NAS returns Let's Encrypt Certificates with 3 files a cert.pem, chain.pem, and privkey.pem. This is a manual method of installing into hMailServer but the Sysnology NAS automatically updated the Let's Encrypt Certificate which I would then manually Export and install into hMailServer. The only problem I potentially have is that Port 80 is needed for the Synology NAS. Which means that only Synology NAS could issue the Let's Encrypt Certificate Request. But my ASUS Router also issues a Let's Encrypt Certificate Request strictly for its own use as it only allows one hostname for the Certificate. Incidentally Synology NAS also issues the Let's Encrypt Certificate for DDNS hostnames which I believe would be considered resolving to Dynamic IP Addresses as the host name would always change whenever the Local Network Public IP Address would change.

So potentially I see a problem where if multiple servers require a Let's Encrypt Certificate you could have a problem with port forwarding because as far as I know you can only Port Forward (80) to one IP Address at a time. Not really familiar with this function but Port Triggering might be a workaround for this problem but Let's Encrypt would have to respond before Triggered Port 80 closed. Another potential problem would be if two devices triggered Port 80 at the same time.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-07-31 15:15

Dravion wrote:
2019-06-07 23:39
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-07-31 15:24

SorenR wrote:
2019-07-31 15:15
Dravion wrote:
2019-06-07 23:39
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
Looks good, but this works only for DNS-Resolvable HTTP-Connections.
Problem is, if you behind a NAT you need to configure at least Port forwarding and setup a DNS a Record with some DynDNS Service
which points behind your Broadband routers hMailServer Computers IP and Port.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-07-31 15:34

Dravion wrote:
2019-07-31 15:24
SorenR wrote:
2019-07-31 15:15
Dravion wrote:
2019-06-07 23:39
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
Looks good, but this works only for DNS-Resolvable HTTP-Connections.
Problem is, if you behind a NAT you need to configure at least Port forwarding and setup a DNS a Record with some DynDNS Service
which points behind your Broadband routers hMailServer Computers IP and Port.
If you have the skills to run a mailserver - you also have the skills to figure out the rest - otherwise you should stay with GMail.

IF you use POP3 pickup and an outbound Relay you don't need a certificate anyways :roll:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-07-31 15:49

SorenR wrote:
2019-07-31 15:34
IF you use POP3 pickup and an outbound Relay you don't need a certificate anyways :roll:
Imap users get to transmit passwords in unencrypted plain text when picking up mail, i guess... :mrgreen:

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-07-31 17:05

palinka wrote:
2019-07-31 15:49
SorenR wrote:
2019-07-31 15:34
IF you use POP3 pickup and an outbound Relay you don't need a certificate anyways :roll:
Imap users get to transmit passwords in unencrypted plain text when picking up mail, i guess... :mrgreen:
Not an issue unless it's across a public network and if you can figure out how to open a port for IMAP you can also figure out how to open a port for a webserver.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-07-31 17:23

SorenR wrote:
2019-07-31 17:05
Not an issue unless it's across a public network
Bingo!

Bedsides push email, calendar &contact sync, one of the benefits of horde with activesync is that i can close all (email) ports except for 25. All user mail traffic goes through 443. I know you deny connections outside "the Danish realm". I deny connections outside "the Pálinka realm" and the client's physical location doesn't matter. :mrgreen:

The only thing is that iPhones are not the greatest with activesync. At least, the version my daughter has. I never owned an iPhone myself. She connects to the Pálinka realm via web mail.

MrGadget
Normal user
Normal user
Posts: 44
Joined: 2011-10-23 23:47
Location: Midwest USA

Re: HCD - SSL-Simplification with Letsencrypt

Post by MrGadget » 2019-10-16 17:33

Sorry to resurrect but I am not having success with win-acme 2.0 for getting SSL working with hMailServer.

win-acme drops 2 files in a folder for me: a pfx and a pem.
win-acme also installs the server for the domain mail.mydomain.com

hMailServer wants a certificate file and a private key file, but the browse file buttons don't specify a file extension, and I can put really anything in there and it won't complain, or even test them to see if they're valid.

I found in the docs that the private key must not have a password, but the export from the IIS Server Certificate requires a password for exporting the private key.

Could someone please just spell it out for me what exactly the steps are in win-acme to produce the files that hMailServer will be happy with so this can be automated fire-and-forget without my having to hold its damn hand every step of the way or install a bunch of other crap?

More on topic: hMailServer is a windows product. Why can't it just be given the friendly name of a cert in the certificate store and use that directly instead of all these gyrations? Then win-acme can auto-renew it via task scheduler and I never have to think about it again.


MrGadget
Normal user
Normal user
Posts: 44
Joined: 2011-10-23 23:47
Location: Midwest USA

Re: HCD - SSL-Simplification with Letsencrypt

Post by MrGadget » 2019-10-16 18:55

I actually had read them. They're either outdated, incomplete, or not applicable (apache, extra tools, gyrations).

Your clue that it wants PEM files did help, and I finally got win-acme to produce all the correct files, but it's a specific set of steps through the [M]anual process of that tool.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HCD - SSL-Simplification with Letsencrypt

Post by mattg » 2019-10-17 00:06

I have a webmail interface on mx.example.com
(hosted on Ubuntu running Apache elsewhere on my my LAN. Lets Encrypt certs updated by the certbot script)

That's ALSO my mailserver local host name
I simply copy the fullchain.pem from by Ubuntu box and use it for my hmailserver


I used to use the winsimple running on my IIS server on same server as hMailserver to the same effect
Apache or NginX are much better (and more secure) than IIS
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-10-17 14:09

MrGadget wrote:
2019-10-16 18:55
I actually had read them. They're either outdated, incomplete, or not applicable (apache, extra tools, gyrations).

Your clue that it wants PEM files did help, and I finally got win-acme to produce all the correct files, but it's a specific set of steps through the [M]anual process of that tool.
With wildcard certificates you get the double benefit of the wildcard, of course, but the creation validation is limited to dns method only. This means you don't need a web server of any kind. So once it's setup, it renews automatically by scheduled task and you only need to restart hmailserver for the new certificate to take effect after the renewal. That can be done by script, or like i do - nightly backup stops and restarts hmailserver service in the process of backing up, and since it restarts nightly anyway, i don't ever worry about the certificate being outdated.

Also, " [M]anual " is a one time deal. After that renewals occur automatically by scheduled task.

Post Reply