Step by step LetsEncrypt WinSimple

This section contains user-submitted tutorials.
palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Step by step LetsEncrypt WinSimple

Post by palinka » 2020-05-18 22:49

From my other tutorial: https://hmailserver.com/forum/viewtopic ... 21&t=34386

Code: Select all

When we have the certificate, you can store in one or more ways to make it
  accessible to your applications. The Windows Certificate Store is the default
  location for IIS (unless you are managing a cluster of them).

 1: IIS Central Certificate Store (.pfx per domain)
 2: PEM encoded files (Apache, nginx, etc.)
 3: Windows Certificate Store
 C: Abort

 How would you like to store the certificate?: 
Enter 2 for PEM. This will work without fuss with hMailServer.

Code: Select all

Path to folder where .pem files are stored:
Choose a path and enter it.

Code: Select all

1: IIS Central Certificate Store (.pfx per domain)
 2: Windows Certificate Store
 3: No additional storage steps required
 C: Abort

 Would you like to store it in another way too?: 
Enter 3 for no additional, unless you want one of the other options.
I guess you should choose pem first (for hmailserver) then iis certificate store.

RBoy
Normal user
Normal user
Posts: 31
Joined: 2018-12-04 04:28

Re: Step by step LetsEncrypt WinSimple

Post by RBoy » 2020-05-19 04:38

Thanks, I've been pouring over your guide, very helpful. I guess I' will need to pick PEM and then IIS store as the second option. The part where I'm stuck is, do I need to revoke/cancel the existing renewal task or can I change the settings of the existing task (if so from where?) or should I select the option to Create manual renewal (full options) and just leave the existing renewal along (i.e. it will be overwritten).

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Step by step LetsEncrypt WinSimple

Post by palinka » 2020-05-19 11:40

As far as I know, v1 and v2 are not compatible. So after you upgrade, the old scheduled task will no longer work. Choose the option of creating a new one. I think you'll have to manually delete the old one from task scheduler.

RBoy
Normal user
Normal user
Posts: 31
Joined: 2018-12-04 04:28

Re: Step by step LetsEncrypt WinSimple

Post by RBoy » 2020-05-19 19:35

Thank you very much, so I finally got this done with some hesitation but I have to say v2.1.7 of Win Amce is so much more powerful and friendly than v1.9, it was actually a breeze to set it up. For the benefit of folks who want to use IIS/FTP and hMailServer together here are a few tips and the steps I used:

NOTES:
  • Creating a new renewal certificate does not overwrite existing renewal/binding tasks
  • PEM is can also be used for hMailServer and the PEM store is just basically a folder which contains the Chain, Key and Crt PEM files to be used by third party programs. The default store used by IIS/FTP is the Windows Certificate Store.
  • It's safe to add multiple stores without impacting any existing IIS/FTP bindings. The order that I used and appears to be working is Windows Certificate Store (for IIS/FTP) and secondary PEM store. The flow is beautiful and super easy, the prompts are fantastic and it prompts you to add a secondary store after you select the first store and the default settings with the colors just do a brilliant job for making a very complex operation very simple.
So the steps I took after migrating https://www.win-acme.com/manual/migration from v1.9 to v2.1.3. I basically downloaded the pluggable version of Win Acme v2.1.7 and extracted them to overwrite the 2.1.3 folder. The certificates and per domain renewal options (in JSON format) are stored in the `C:\ProgramData\Win-Acme` folder but it shouldn't be touched.
  • After extracting, I started wacs.exe, I selected the domain I wanted to get use with IIS and hMailServer and deleted that one single domain under the

    Code: Select all

    O: More options...
    menu.
  • Then from the main menu I selected the

    Code: Select all

    M: Manual renewal (full option)
    , selected that same domain, picked IIS, picked the Central Windows Stores as the first store (default), then selected the PEM store as the secondary option, entered the folder I wanted them (make sure the folder exists) and followed the default prompts after that to complete the renewal.
  • Win Acme downloaded the certificates, bound them to IIS and also exported a copy of them to the PEM folder.
  • Now simply point the PEM certificates to hMailServer in the configuration.
As I understand the certificates in the Windows Store will have random names after each renewal but the ones in the PEM folder will have a static name.

RDA
New user
New user
Posts: 15
Joined: 2020-05-16 12:12

Re: Step by step LetsEncrypt WinSimple

Post by RDA » 2020-05-28 01:28

@mattg
"I get the pem files with my apache server running on Ubuntu, and access these from hMailserver directly via network shares using UNC paths in the ADMIN GUI and it works fine "
Could you please explain how you do this ? i too wish to do the same to automate the renewal of certificates. I have a different server running my web server on Ubuntu / Apache2.

My HmailServer have to domains added. but only one domain have a web server.

Thank you
RDA

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Step by step LetsEncrypt WinSimple

Post by mattg » 2020-05-28 02:49

My webmail url is 'mail.example.com'
(roundcube hosted on my Ubuntu | Nginx box)

and this url is ALSO my local host name on my hMailsevrer

I let certbot renew certificates for my webserver, and have shared the live certificate folder (/etc/letsencrypt/live) via Samba|SMB
I access this SMB share from windows with a UNC path

certificate file (in hmailAdmin) = \\10.10.10.100\mail.example.com\fullchain.pem
private key file (in hmailAdmin) = \\10.10.10.100\mail.example.com\privkey.pem

I just need to restart my hmailserver at least every 30 days - but windows updates takes care of that

(as as aside, if you are SSL securing your websites, change to nginx from apache - less than half the memory usage, and so much faster normally)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RDA
New user
New user
Posts: 15
Joined: 2020-05-16 12:12

Re: Step by step LetsEncrypt WinSimple

Post by RDA » 2020-06-06 23:35

@mattg Thank you.

Post Reply