Update SSL certificate

Discussion for developers using MailEnable.
John
Posts: 6
Joined: Thu Mar 31, 2016 9:25 am

Update SSL certificate

Post by John »

Hi,

I want to use LetsEncrypt to generate the SSL certificate used in MailEnable. All works but I'm not sure how to assign the certificate programatically to the ME server. The only place I could find related to this is a registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Security\Default SSL Certificate).

Is there any thing else I would have to do except setting this key to the certificates CN?

John

John
Posts: 6
Joined: Thu Mar 31, 2016 9:25 am

Re: Update SSL certificate

Post by John »

Hello,

apart from changing the certificate one has to restart all services using the certificate (POP, SMTP and IMAP), right?

Is there a specific way for this or do I just "net stop ... /net start ..." ?

John

Herman_verschooten
Posts: 9
Joined: Wed Feb 06, 2008 2:59 pm

Re: Update SSL certificate

Post by Herman_verschooten »

Did you find a working solution? I too am interested in using letsencrypt.

Herman

John
Posts: 6
Joined: Thu Mar 31, 2016 9:25 am

Re: Update SSL certificate

Post by John »

No, I could not find a reliable way to set the SSL cert in ME. Doing it manually every 3 month ;-)

windsocks
Posts: 1
Joined: Sun Oct 27, 2019 12:48 pm

Re: Update SSL certificate

Post by windsocks »

Hi,

Trying to revive this after 2+ years... is there any update on this? Can we programmatically update the SSL cert used by ME?

GigaT
Posts: 2
Joined: Mon Nov 04, 2019 10:56 pm

Re: Update SSL certificate

Post by GigaT »

I would also love an update/documentation to this question

It would be really nice to be able to use IIS centralized certificate store, then MailEnable would just find the .pfx cert file in a directory that matches the requested domain name :wink:

I'm using Win-Acme, which actually works very well for IIS websites.

Many Thanks

Maur0V
Posts: 50
Joined: Thu May 09, 2013 10:26 am

Re: Update SSL certificate

Post by Maur0V »

it's possible to use let's encrypt as SSL for mailenable services.
I've written a script to do it.
It works in an automatic way, using the default let'sencrypt planed task to renew ssl.
if interested in it, PM me

awstraining
Posts: 1
Joined: Wed Nov 27, 2019 11:00 am

Re: Update SSL certificate

Post by awstraining »

Thank you for the sharing good knowledge and information its very helpful and understanding.. as we are looking for this information since long time. Regards
3RI Technologies

DaveTheWave
Posts: 4
Joined: Tue Jan 07, 2020 3:58 am

Re: Update SSL certificate

Post by DaveTheWave »

Yes Win-Acme works painlessly perfectly with a Windows Server, but this seems to only work for its IIS portion on the auto-renewals.

Is there an automated way for ME to see that a cert has been re-updated every 90days and do its thing?

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Update SSL certificate

Post by Admin »

MailEnable will load the certificate automatically, so you shouldn't need to do anything. Make sure SNI is enabled in the administration program under the SSL settings. The services will not be able to set permissions on the certificate though, so when the new cert is imported you need to make sure that the account the services are running under has access to it.

DaveTheWave
Posts: 4
Joined: Tue Jan 07, 2020 3:58 am

Re: Update SSL certificate

Post by DaveTheWave »

This was all I can find in the ME mmc, and it displays <none>, despite the fact that LetsEncrypt is working, even for the MEWebMail.
20200110-mailenable-localhost_properties-ssl.gif
20200110-mailenable-localhost_properties-ssl.gif (14.86 KiB) Viewed 71419 times

virmix
Posts: 66
Joined: Tue Nov 10, 2015 12:12 am

Re: Update SSL certificate

Post by virmix »

DaveTheWave wrote:
Fri Jan 10, 2020 4:00 pm
This was all I can find in the ME mmc, and it displays <none>, despite the fact that LetsEncrypt is working, even for the MEWebMail.20200110-mailenable-localhost_properties-ssl.gif
You must import your cert to Machine Certificate Store. Using Desktop Remote Server, upload cert , double click and select MACHINE or COMPUTER, not select for that USER and click next all steps.

Maranda
Posts: 27
Joined: Mon Dec 11, 2017 8:10 pm

Re: Update SSL certificate

Post by Maranda »

If you use ACME based/Let's Encrypt certificates ME will just seek for the first certificate with the CN name you specified into the configuration so just make two PS scripts, one will stop services prior of the certificate renewal the other will add the appropriate CACLs to the certificate and its private key and then restart ME services.

Prior of certificate renewal/issuance script

Code: Select all

Stop-Service -DisplayName "MailEnable*"
Post certificate renewal/issuance script, replace "yourdomain.com" with your certificate CN

Code: Select all

$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Subject -Like "CN=yourdomain.com"};

# Specify the user, the permissions and the permission type
$permission = "IME_SYSTEM","Read,FullControl","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;

# Location of the machine related keys
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
$keyFullPath = $keyPath + $keyName;

try
{
   # Get the current acl of the private key
   $acl = (Get-Item $keyFullPath).GetAccessControl('Access');
   # Add the new ace to the acl of the private key
   $acl.AddAccessRule($accessRule);

   # Write back the new acl
   Set-Acl -Path $keyFullPath -AclObject $acl;
}
catch
{
   throw $_;
}

Start-Service -DisplayName "MailEnable*"
Best regards,
Marco

Bartk
Posts: 10
Joined: Sun Mar 31, 2019 4:33 pm

Re: Update SSL certificate

Post by Bartk »

Maranda wrote:
Sun Feb 02, 2020 12:25 pm
If you use ACME based/Let's Encrypt certificates ME will just seek for the first certificate with the CN name you specified into the configuration so just make two PS scripts, one will stop services prior of the certificate renewal the other will add the appropriate CACLs to the certificate and its private key and then restart ME services.

Prior of certificate renewal/issuance script

Code: Select all


[Long piece with code]

Best regards,
Marco
First of all, you are absolutely awesome!

Also, for people like who find this page through Google and try to implement it, you might want to check if the user you're assigning the rights to actually excists.

Code: Select all

$permission = "IME_SYSTEM","Read,FullControl","Allow"
I tested the script with just de CN edited, for me it threw the error "Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."" which (freely translated) means the user doesn't excist. After adjusting it, it worked like a charm.

adz
Posts: 18
Joined: Wed Jul 16, 2014 5:20 am

Re: Update SSL certificate

Post by adz »

Do the services have to be stoped/restarted with the powershell script if SNI is enabled.

Post Reply