Update SSL certificate

[John]

Hi,

I want to use LetsEncrypt to generate the SSL certificate used in MailEnable. All works but I'm not sure how to assign the certificate programatically to the ME server. The only place I could find related to this is a registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Security\Default SSL Certificate).

Is there any thing else I would have to do except setting this key to the certificates CN?

John

[John]

Hello,

apart from changing the certificate one has to restart all services using the certificate (POP, SMTP and IMAP), right?

Is there a specific way for this or do I just "net stop ... /net start ..." ?

John

[Herman_verschooten]

Did you find a working solution? I too am interested in using letsencrypt.

Herman

[John]

No, I could not find a reliable way to set the SSL cert in ME. Doing it manually every 3 month

[windsocks]

Hi,

Trying to revive this after 2+ years... is there any update on this? Can we programmatically update the SSL cert used by ME?

[GigaT]

I would also love an update/documentation to this question

It would be really nice to be able to use IIS centralized certificate store, then MailEnable would just find the .pfx cert file in a directory that matches the requested domain name

I'm using Win-Acme, which actually works very well for IIS websites.

Many Thanks

[Maur0V]

it's possible to use let's encrypt as SSL for mailenable services.
I've written a script to do it.
It works in an automatic way, using the default let'sencrypt planed task to renew ssl.
if interested in it, PM me

[awstraining]

Thank you for the sharing good knowledge and information its very helpful and understanding.. as we are looking for this information since long time. Regards
3RI Technologies

[DaveTheWave]

Yes Win-Acme works painlessly perfectly with a Windows Server, but this seems to only work for its IIS portion on the auto-renewals.

Is there an automated way for ME to see that a cert has been re-updated every 90days and do its thing?

[Admin]

MailEnable will load the certificate automatically, so you shouldn't need to do anything. Make sure SNI is enabled in the administration program under the SSL settings. The services will not be able to set permissions on the certificate though, so when the new cert is imported you need to make sure that the account the services are running under has access to it.

[DaveTheWave]

This was all I can find in the ME mmc, and it displays <none>, despite the fact that LetsEncrypt is working, even for the MEWebMail.

20200110-mailenable-localhost_properties-ssl.gif (14.86 KiB) Viewed 68664 times

[virmix]

This was all I can find in the ME mmc, and it displays <none>, despite the fact that LetsEncrypt is working, even for the MEWebMail.20200110-mailenable-localhost_properties-ssl.gif

You must import your cert to Machine Certificate Store. Using Desktop Remote Server, upload cert , double click and select MACHINE or COMPUTER, not select for that USER and click next all steps.

[Maranda]

If you use ACME based/Let's Encrypt certificates ME will just seek for the first certificate with the CN name you specified into the configuration so just make two PS scripts, one will stop services prior of the certificate renewal the other will add the appropriate CACLs to the certificate and its private key and then restart ME services.

Prior of certificate renewal/issuance script

Code: Select all

Stop-Service -DisplayName "MailEnable*"

Post certificate renewal/issuance script, replace "yourdomain.com" with your certificate CN

Code: Select all

$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Subject -Like "CN=yourdomain.com"};

# Specify the user, the permissions and the permission type
$permission = "IME_SYSTEM","Read,FullControl","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;

# Location of the machine related keys
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
$keyFullPath = $keyPath + $keyName;

try
{
   # Get the current acl of the private key
   $acl = (Get-Item $keyFullPath).GetAccessControl('Access');
   # Add the new ace to the acl of the private key
   $acl.AddAccessRule($accessRule);

   # Write back the new acl
   Set-Acl -Path $keyFullPath -AclObject $acl;
}
catch
{
   throw $_;
}

Start-Service -DisplayName "MailEnable*"

Best regards,
Marco

[Bartk]

If you use ACME based/Let's Encrypt certificates ME will just seek for the first certificate with the CN name you specified into the configuration so just make two PS scripts, one will stop services prior of the certificate renewal the other will add the appropriate CACLs to the certificate and its private key and then restart ME services.

Prior of certificate renewal/issuance script

Code: Select all

[Long piece with code]

Best regards,
Marco

First of all, you are absolutely awesome!

Also, for people like who find this page through Google and try to implement it, you might want to check if the user you're assigning the rights to actually excists.

Code: Select all

$permission = "IME_SYSTEM","Read,FullControl","Allow"

I tested the script with just de CN edited, for me it threw the error "Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."" which (freely translated) means the user doesn't excist. After adjusting it, it worked like a charm.

[adz]

Do the services have to be stoped/restarted with the powershell script if SNI is enabled.