Certify automatic ssl certificate and renewal

This section contains user-submitted tutorials.
Post Reply
alescan
Normal user
Normal user
Posts: 56
Joined: 2014-11-11 17:29
Location: Italy
Contact:

Certify automatic ssl certificate and renewal

Post by alescan » 2019-11-20 18:18

Hi everyone,
I recentrly discovered https://certifytheweb.com/ (The SSL Certificate Manager for Windows, powered by Let's Encrypt) and made a simple script to automatize the renewal process.
You only have to modify the crt and key path and set it in the post-request script page of the program.

Code: Select all

param($result)
$latest = $result.ManagedItem.CertificatePath
openssl pkcs12 -in $latest -out E:\path\to\private\key\public.key -nocerts -nodes -passin pass:
openssl pkcs12 -in $latest -out E:\path\to\public\crt\public.crt -nokeys -passin pass:
Restart-Service -Name hMailServer -Force
Hope can help some of you!

Bye!
HMS 5.6.7 B2425 on Win Server 2016 Standard with SQL Server 2019

bajlek
Normal user
Normal user
Posts: 71
Joined: 2017-05-02 20:54

Re: Certify automatic ssl certificate and renewal

Post by bajlek » 2019-12-31 00:49

I need to edit that to this:

Code: Select all

param($result)
$env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin"
$latest = $result.ManagedItem.CertificatePath

openssl pkcs12 -in $latest -out 'C:\Program Files (x86)\hMailServer\ssl\cert\mykey.pem' -nocerts -nodes -passin pass:
openssl pkcs12 -in $latest -out 'C:\Program Files (x86)\hMailServer\ssl\cert\mycert.pem' -nokeys -nodes -chain -passin pass:

Restart-Service -Name hMailServer -Force
I also set PATH in user variables, but it wont even work for powershell so it need to be set up in script. ANd my path have spaces - careful with that.
Reference: https://stackoverflow.com/questions/455 ... ystem-path

berg128
New user
New user
Posts: 25
Joined: 2021-01-07 08:41

Re: Certify automatic ssl certificate and renewal

Post by berg128 » 2021-01-07 13:41

I'm trying to implement but it seems the $result isn't passed on to the script or the $latest isn't expanded to the openssl command

Must be something annoying I oversee because I'm a novice to PS,

Anyone have an idea?

***SCRIPT***
param($result)
$env:path = $env:path + ";D:\Program Files\OpenSSL\bin"
$latest = $result.ManagedItem.CertificatePath
echo "1"
echo $result
echo "1"
echo $latest
echo "1"

openssl pkcs12 -in $latest -out 'D:\Program Files\hMailServer\ssl\cert\mykey.pem' -nocerts -nodes -passin pass:
openssl pkcs12 -in $latest -out 'D:\Program Files\hMailServer\ssl\cert\mycert.pem' -nokeys -nodes -chain -passin pass:

Restart-Service -Name hMailServer -Force

****LOG RESULT:****
2021-01-07 12:21:07.417 +01:00 [INF] Executing command via PowerShell
2021-01-07 12:21:08.336 +01:00 [ERR] 1
Certify.Models.CertificateRequestResult
1
C:\ProgramData\certify\assets\mx.mydomain.com\20210407_e9f7ddf2.pfx
1
Error: openssl.exe: MAC verified OK
At D:\Program Files\hMailServer\ssl\Getcertificates.ps1:10 char:1
+ openssl pkcs12 -in $latest -out 'D:\Program Files\hMailServer\ssl\cer ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: openssl.exe: MAC verified OK
At D:\Program Files\hMailServer\ssl\Getcertificates.ps1:11 char:1
+ openssl pkcs12 -in $latest -out 'D:\Program Files\hMailServer\ssl\cer ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

robw
New user
New user
Posts: 1
Joined: 2021-01-14 03:53

Re: Certify automatic ssl certificate and renewal

Post by robw » 2021-01-14 04:01

Certify the Web is a brilliant tool. I highly encourage everyone to buy licences to support it.

Pardon me if this is a silly question, but why do you need a script?

We've set it up with point-and-click configuration using the Deployment Tasks tab. Have I missed something important?
Attachments
ctw-ssl-tasks.png

alescan
Normal user
Normal user
Posts: 56
Joined: 2014-11-11 17:29
Location: Italy
Contact:

Re: Certify automatic ssl certificate and renewal

Post by alescan » 2021-01-14 11:53

robw wrote:
2021-01-14 04:01
Certify the Web is a brilliant tool. I highly encourage everyone to buy licences to support it.

Pardon me if this is a silly question, but why do you need a script?

We've set it up with point-and-click configuration using the Deployment Tasks tab. Have I missed something important?
At the time I wrote it (november 2019) there wasn't that feature that has been added in major version 5.0 in april 2020
HMS 5.6.7 B2425 on Win Server 2016 Standard with SQL Server 2019

DrmCa
Normal user
Normal user
Posts: 116
Joined: 2011-02-14 21:30

Re: Certify automatic ssl certificate and renewal

Post by DrmCa » 2021-01-15 18:26

I am missing the part where this is better than Certbot.

certbot renew

is all one needs for an automatic renewal anyway. What's the catch with Certify?

alescan
Normal user
Normal user
Posts: 56
Joined: 2014-11-11 17:29
Location: Italy
Contact:

Re: Certify automatic ssl certificate and renewal

Post by alescan » 2021-01-16 12:44

I never used certbot, but for what I know, Certify it's a program with a full user interface under windows, certbot on windows only works with cmd or powershell. So for some people can be more simple to have a gui.
HMS 5.6.7 B2425 on Win Server 2016 Standard with SQL Server 2019

Andreas58
New user
New user
Posts: 2
Joined: 2021-01-29 13:33

Re: Certify automatic ssl certificate and renewal

Post by Andreas58 » 2021-01-29 13:40

After several failed attempts to install SSL on my server, I succeeded with CertfyTheWeb. The script also works and SSL is installed on Hmailserver. However, I can't get encrypted SMTP to work. In my mail client I can get IMAP protocol encrypted SMTP not. The ports are open and protocols are linked in the mail server. Any ideas?

User avatar
jimimaseye
Moderator
Moderator
Posts: 9189
Joined: 2011-09-08 17:48

Re: Certify automatic ssl certificate and renewal

Post by jimimaseye » 2021-01-29 14:32

Andreas58 wrote:
2021-01-29 13:40
After several failed attempts to install SSL on my server, I succeeded with CertfyTheWeb. The script also works and SSL is installed on Hmailserver. However, I can't get encrypted SMTP to work. In my mail client I can get IMAP protocol encrypted SMTP not. The ports are open and protocols are linked in the mail server. Any ideas?
Please start a new thread and provide your own details and diagnostics.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

pravyroxor
New user
New user
Posts: 5
Joined: 2019-05-20 08:30

Re: Certify automatic ssl certificate and renewal

Post by pravyroxor » 2021-06-21 11:05

This is working (adjusted) powershell script with intermediate and root certificate included into pem file, working with hmailserver:

$dir = "c:\programdata\Certify\assets\mail.xxxxxx.xx"
$Name = Get-ChildItem -Path $dir | Sort-Object LastAccessTime -Descending | Select-Object -First 1 | gci | % {$_.BaseName}

Write-Host "PFX Name: $Name"

# Convert Certificate to pem
# set OPENSSL_CONF=c:\Program Files\OpenSSL-Win64\bin\openssl.cfg
openssl.exe pkcs12 -in $dir\$Name.pfx -out $env:userprofile\Desktop\temp.pem -nodes -chain -passin pass:
openssl.exe pkey -in $env:userprofile\Desktop\temp.pem -out $env:userprofile\Desktop\$Name.Private.pem


# Modify the certificate file to strip not needed lines and match the order: first certificat, second intermediate, third root.
# Im my case it's ALWAYS wrong: certificate, root, intermediate.

$SLine = select-string -pattern "BEGIN CERTIFICATE" -path $env:userprofile\Desktop\temp.pem
$ELine = select-string -pattern "END CERTIFICATE" -path $env:userprofile\Desktop\temp.pem

$Certificate = for ($i = ($SLine[0].LineNumber - 1); $i -le ($ELine[0].LineNumber - 1); $i++) {
Get-Content -path $env:userprofile\Desktop\temp.pem | Select -Index $i
}
$Root = for ($i = ($SLine[1].LineNumber - 1); $i -le ($ELine[1].LineNumber - 1); $i++) {
Get-Content -path $env:userprofile\Desktop\temp.pem | Select -Index $i
}
$Intermediate = for ($i = ($SLine[2].LineNumber - 1); $i -le ($ELine[2].LineNumber - 1); $i++) {
Get-Content -path $env:userprofile\Desktop\temp.pem | Select -Index $i
}

# Remove temp file --> certificate with private key, certificates and not needed lines
Remove-Item $env:userprofile\Desktop\temp.pem

$Preperation = "$Certificate" + " " + "$Intermediate" + " " + "$Root"
$Preperation = $Preperation -replace "BEGIN CERTIFICATE","BEGIN_CERTIFICATE"
$Preperation = $Preperation -replace "END CERTIFICATE","END_CERTIFICATE"
$Preperation = $Preperation -replace ' ',"`n"
$Preperation = $Preperation -replace "BEGIN_CERTIFICATE","BEGIN CERTIFICATE"
$Preperation = $Preperation -replace "END_CERTIFICATE","END CERTIFICATE"

# Write and trim files, named ExpireDate.Certificat.pem and ExpireDate.Private.pem
$Preperation > $env:userprofile\Desktop\$Name.Certificate.pem
(gc $env:userprofile\Desktop\$Name.Certificate.pem) | Foreach {$_.TrimEnd()} | where {$_ -ne ""} | Set-Content $env:userprofile\Desktop\$Name.Certificate.pem
(gc $env:userprofile\Desktop\$Name.Private.pem) | Foreach {$_.TrimEnd()} | where {$_ -ne ""} | Set-Content $env:userprofile\Desktop\$Name.Private.pem

# Deploy files to hmailserver
Stop-Service Spamassassin
Stop-Service hmailserver

Move-Item $env:userprofile\Desktop\$Name.Certificate.pem "c:\Program Files\hMailServer\SSL\mailcert.cer" -force
Move-Item $env:userprofile\Desktop\$Name.Private.pem "c:\Program Files\hMailServer\SSL\pem.pk" -Force

Start-Service hmailserver
Start-Service Spamassassin

Post Reply