TLS certificate check

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
User avatar
Bob.Dig
Normal user
Normal user
Posts: 144
Joined: 2020-06-29 09:18
Location: Germany

TLS certificate check

Post by Bob.Dig » 2021-06-06 10:39

I had this happened to me, my certificate has expired and I noticed too late. What I would like to see in the gui are the dates of the certificates. Maybe it could be done in Diagnostics?
I am also not sure, when a new certificate is loaded, if it is in the same place as the old one was. After a reboot of hmail server or the whole machine?

Thanks for reading.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: TLS certificate check

Post by SorenR » 2021-06-06 15:04

I just renewed my certificate today...

0: Run acme.sh on my 'nix box to generate new LetsEncrypt certificate(s)
1: Copy the updated cert files to the designated hMailServer folder
2: net stop hmailserver && net start hmailserver

Job done.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: TLS certificate check

Post by palinka » 2021-06-06 16:43

I generate certificates automatically on a schedule (win-acme) on the same box as hmailserver. PEM certificates get exported to a folder. Hmailserver loads its certificates from that folder. When a certificate is renewed, the PEM certificates get over-written in that folder. They're always up to date.

On Hmailserver's end, my nightly backup script stops Hmailserver for backup. When Hmailserver is restarted by the script, the certificate gets reloaded. Therefore, as long as win-acme is doing its job, Hmailserver never has an expired certificate.
Bob.Dig wrote:
2021-06-06 10:39
I am also not sure, when a new certificate is loaded, if it is in the same place as the old one was. After a reboot of hmail server or the whole machine?
Both. Also, i think "pause" in the admin gui also reloads the certificates. I'm not 100% sure about that. But certainly, every time the hmailserver service is started, certificates are reloaded, whether it's starting due to reboot or any other method.

User avatar
Bob.Dig
Normal user
Normal user
Posts: 144
Joined: 2020-06-29 09:18
Location: Germany

Re: TLS certificate check

Post by Bob.Dig » 2021-06-06 16:56

SorenR wrote:
2021-06-06 15:04
0: Run acme.sh on my 'nix box to generate new LetsEncrypt certificate(s)
1: Copy the updated cert files to the designated hMailServer folder
2: net stop hmailserver && net start hmailserver
Looks like my workflow too. And it has problems.

palinka wrote:
2021-06-06 16:43
I generate certificates automatically on a schedule (win-acme) on the same box as hmailserver.
Probably the smart way of doing things. :D

Nonetheless, hmail is missing something.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: TLS certificate check

Post by SorenR » 2021-06-06 18:51

Bob.Dig wrote:
2021-06-06 16:56
SorenR wrote:
2021-06-06 15:04
0: Run acme.sh on my 'nix box to generate new LetsEncrypt certificate(s)
1: Copy the updated cert files to the designated hMailServer folder
2: net stop hmailserver && net start hmailserver
Looks like my workflow too. And it has problems.
I updated the certificate on my NAS (webserver), my primary hMailServer and my secondary hMailServer.

I have actually thought of making a cron job to do the certificate and copying to hMailServer. Both servers restart at midnight anyways.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS certificate check

Post by mattg » 2021-06-07 01:44

If your certificate expires there should be lots of errors in your hMailserver log files

I use lets encrypt on my Ubuntu webserver (because it is far easier than using win-acme), and have shared the certificate folder to my hmailserver. hMailserver picks up the latest certificate every time it restarts

If it doesn't restart for more than 30 days, I could have an issue with an out of date certificate being loaded (and cached), and then connections get dropped. I use Thunderbird and thunderbird alerted me to the out of date certificates. Restart hMailserver = good to go.

Thankfully due to Windows updates etc, it s a pretty rare occurrence for my hMailserver not to restart within a month.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Bob.Dig
Normal user
Normal user
Posts: 144
Joined: 2020-06-29 09:18
Location: Germany

Re: TLS certificate check

Post by Bob.Dig » 2021-06-07 09:01

mattg wrote:
2021-06-07 01:44
I use lets encrypt on my Ubuntu webserver (because it is far easier than using win-acme), and have shared the certificate folder to my hmailserver.
Interesting, how you do that?

I do it manually every three month, taking it from my pfSense, and also I use DANE, so I have at least the feeling, to much automation wouldn't do me good either.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS certificate check

Post by mattg » 2021-06-07 15:26

On my Ubuntu I created a Samba share that is accessible from my hMailserverv windows machine ( I may use custom credentials to run the hmailserver SERVICE that have the appropriate SAMBA permissions)

You should be able to run SAMBA on FreeBSD/PFsense

hMailserver only needs read access to the letsEncrypt folder with the latest simlinked certificates

for me that is etc/letsencrypt/live/example.com/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: TLS certificate check

Post by SorenR » 2021-06-07 15:39

mattg wrote:
2021-06-07 15:26
On my Ubuntu I created a Samba share that is accessible from my hMailserverv windows machine ( I may use custom credentials to run the hmailserver SERVICE that have the appropriate SAMBA permissions)

You should be able to run SAMBA on FreeBSD/PFsense

hMailserver only needs read access to the letsEncrypt folder with the latest simlinked certificates

for me that is etc/letsencrypt/live/example.com/
Like this ??

Code: Select all

net stop hMailServer

fc \\BIGBROTHER\homes\admin\.acme.sh\mx.acme.inc\mx.acme.inc.cer C:\hMailServer\SSLCert\LetsEncrypt\mx.acme.inc.cer >NUL && goto exit || goto import

:import
Copy ... bla bla
Copy ... bla bla
Copy ... bla bla

:exit

net start hMailServer
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS certificate check

Post by mattg » 2021-06-08 00:09

No, I simply use the UNC path in the hMailserver GUI

My certificate file is
\\192.168.0.100\example.com\fullchain.pem

My private key file is
\\192.168.0.100\example.com\privkey.pem



Where the
\\192.168.0.100\example.com\ is
/etc/letsencrypt/live/example.com/ on my Ubuntu webserver

LetsEncrypt issues me a Multi domain certificate that covers example.com and subdomains like mail.example.com etc

This same location is used by Nginx (and previously Apache) to secure my websites for that domain.
Certbot updates the symlinks in that folder as new certificates are created / downloaded for that Multi-domain group
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply