I had this happened to me, my certificate has expired and I noticed too late. What I would like to see in the gui are the dates of the certificates. Maybe it could be done in Diagnostics?
I am also not sure, when a new certificate is loaded, if it is in the same place as the old one was. After a reboot of hmail server or the whole machine?
Thanks for reading.
TLS certificate check
Re: TLS certificate check
I just renewed my certificate today...
0: Run acme.sh on my 'nix box to generate new LetsEncrypt certificate(s)
1: Copy the updated cert files to the designated hMailServer folder
2: net stop hmailserver && net start hmailserver
Job done.
0: Run acme.sh on my 'nix box to generate new LetsEncrypt certificate(s)
1: Copy the updated cert files to the designated hMailServer folder
2: net stop hmailserver && net start hmailserver
Job done.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: TLS certificate check
I generate certificates automatically on a schedule (win-acme) on the same box as hmailserver. PEM certificates get exported to a folder. Hmailserver loads its certificates from that folder. When a certificate is renewed, the PEM certificates get over-written in that folder. They're always up to date.
On Hmailserver's end, my nightly backup script stops Hmailserver for backup. When Hmailserver is restarted by the script, the certificate gets reloaded. Therefore, as long as win-acme is doing its job, Hmailserver never has an expired certificate.
On Hmailserver's end, my nightly backup script stops Hmailserver for backup. When Hmailserver is restarted by the script, the certificate gets reloaded. Therefore, as long as win-acme is doing its job, Hmailserver never has an expired certificate.
Both. Also, i think "pause" in the admin gui also reloads the certificates. I'm not 100% sure about that. But certainly, every time the hmailserver service is started, certificates are reloaded, whether it's starting due to reboot or any other method.
Re: TLS certificate check
Looks like my workflow too. And it has problems.
Probably the smart way of doing things.
Nonetheless, hmail is missing something.
Re: TLS certificate check
I updated the certificate on my NAS (webserver), my primary hMailServer and my secondary hMailServer.
I have actually thought of making a cron job to do the certificate and copying to hMailServer. Both servers restart at midnight anyways.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: TLS certificate check
If your certificate expires there should be lots of errors in your hMailserver log files
I use lets encrypt on my Ubuntu webserver (because it is far easier than using win-acme), and have shared the certificate folder to my hmailserver. hMailserver picks up the latest certificate every time it restarts
If it doesn't restart for more than 30 days, I could have an issue with an out of date certificate being loaded (and cached), and then connections get dropped. I use Thunderbird and thunderbird alerted me to the out of date certificates. Restart hMailserver = good to go.
Thankfully due to Windows updates etc, it s a pretty rare occurrence for my hMailserver not to restart within a month.
I use lets encrypt on my Ubuntu webserver (because it is far easier than using win-acme), and have shared the certificate folder to my hmailserver. hMailserver picks up the latest certificate every time it restarts
If it doesn't restart for more than 30 days, I could have an issue with an out of date certificate being loaded (and cached), and then connections get dropped. I use Thunderbird and thunderbird alerted me to the out of date certificates. Restart hMailserver = good to go.
Thankfully due to Windows updates etc, it s a pretty rare occurrence for my hMailserver not to restart within a month.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: TLS certificate check
Interesting, how you do that?
I do it manually every three month, taking it from my pfSense, and also I use DANE, so I have at least the feeling, to much automation wouldn't do me good either.
Re: TLS certificate check
On my Ubuntu I created a Samba share that is accessible from my hMailserverv windows machine ( I may use custom credentials to run the hmailserver SERVICE that have the appropriate SAMBA permissions)
You should be able to run SAMBA on FreeBSD/PFsense
hMailserver only needs read access to the letsEncrypt folder with the latest simlinked certificates
for me that is etc/letsencrypt/live/example.com/
You should be able to run SAMBA on FreeBSD/PFsense
hMailserver only needs read access to the letsEncrypt folder with the latest simlinked certificates
for me that is etc/letsencrypt/live/example.com/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: TLS certificate check
Like this ??mattg wrote: ↑2021-06-07 15:26On my Ubuntu I created a Samba share that is accessible from my hMailserverv windows machine ( I may use custom credentials to run the hmailserver SERVICE that have the appropriate SAMBA permissions)
You should be able to run SAMBA on FreeBSD/PFsense
hMailserver only needs read access to the letsEncrypt folder with the latest simlinked certificates
for me that is etc/letsencrypt/live/example.com/
Code: Select all
net stop hMailServer
fc \\BIGBROTHER\homes\admin\.acme.sh\mx.acme.inc\mx.acme.inc.cer C:\hMailServer\SSLCert\LetsEncrypt\mx.acme.inc.cer >NUL && goto exit || goto import
:import
Copy ... bla bla
Copy ... bla bla
Copy ... bla bla
:exit
net start hMailServer
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: TLS certificate check
No, I simply use the UNC path in the hMailserver GUI
My certificate file is
\\192.168.0.100\example.com\fullchain.pem
My private key file is
\\192.168.0.100\example.com\privkey.pem
Where the
\\192.168.0.100\example.com\ is
/etc/letsencrypt/live/example.com/ on my Ubuntu webserver
LetsEncrypt issues me a Multi domain certificate that covers example.com and subdomains like mail.example.com etc
This same location is used by Nginx (and previously Apache) to secure my websites for that domain.
Certbot updates the symlinks in that folder as new certificates are created / downloaded for that Multi-domain group
My certificate file is
\\192.168.0.100\example.com\fullchain.pem
My private key file is
\\192.168.0.100\example.com\privkey.pem
Where the
\\192.168.0.100\example.com\ is
/etc/letsencrypt/live/example.com/ on my Ubuntu webserver
LetsEncrypt issues me a Multi domain certificate that covers example.com and subdomains like mail.example.com etc
This same location is used by Nginx (and previously Apache) to secure my websites for that domain.
Certbot updates the symlinks in that folder as new certificates are created / downloaded for that Multi-domain group
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation