Autogenerated SSL using LetsEncrypt and Mailenable Issue

Discussion forum for Enterprise Edition.
naikmanish
Posts: 24
Joined: Tue Aug 01, 2017 9:31 pm

Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by naikmanish »

Greetings,

I have setup Lets Certify automated SSL certificate generation every 30 days for about 10 odd mail domains I have hosted on our mailenable enterprise server.

The Letscertify client automatically renews the SSL perfectly and stores it in the Certificate store appropriately.

However, Mailenable stops working as soon as the second certificate comes in the certificate store. I was at my wits end because the SSL was fine, the expiry was ok. But Mailenable just would go take the new certificate even when I would go to -> Servers-> Localhost -> SSL Properties and select the correct certificate. I even went ahead and deleted the old certificate, selected the new one, Applied the changes and finally, fully exasperated, rebooted the server. Still no Luck!

I finally made it work doing the following :
-> Servers-> Localhost -> SSL Properties
Select SSL Certificate = '(None)'
Press Apply

Then again
Select SSL Certificate = "Select the appropriate Certificate"
Press Apply

And it starts working perfectly fine.

My questions to Mailenable is :
Is there a way, I can do the above using command-line or PowerShell ?

I ask so, that as soon as Let'sCertify generates a new certificate, I can run a command line which will apply an SSL with the None 'Parameter', and then select the correct certificate and Apply again, to make everything work perfectly.

Thank you

Manish Naik

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

The trick is to manually copy the newly generated cert to PERSONAL store, you don't even need to touch ME console SSL part, whatever is in the dropdown manual will be used to serve new SSL/TLS connection.

Try to search Let's Encrypt in this forum or google for keywords

Let's encrypt mailenable Personal store SSL

naikmanish
Posts: 24
Joined: Tue Aug 01, 2017 9:31 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by naikmanish »

Greetings,

Thank you for the quick response.

However, I have configured the script to store the certificate in the personal store itself. So when the tool generates the certificate, it stores in the personal store.

Once that new certificate comes in, the personal store shows two certificates. And if I go to
-> Servers-> Localhost -> SSL Properties

It shows me three items in the dropdown.
(None)
*.mydomain.com
*.mydomain.com

The IIS part works flawlessly, all sites automatically get the new certificate.

But the Mailenable SMTP/IMAP, etc. services stop working as the -> Servers-> Localhost -> SSL Properties has the older certificate selected.

Once I go there and select the new certificate and even reboot the computer, it does not work. It only works in case I select '(None)', press Apply, and then select the new certificate and press Apply again.

Therefore, I was thinking, if there is some PowerShell/Batch/CLI script/command which can do the above automatically.
i.e.
-> Servers-> Localhost -> SSL Properties
Select None - Save
Select the new Certificate - Save
Restart ME

Hope this helps in helping me find a solution.

Thank you

Warm Regards

Manish Naik

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

May be add the function to delete the old certs in your script...

I just checked, there is only 1 SAN/UCC in my personal store, probably this is the key, if you have multiple ones including the expired one, then ME may not be able to pickup the latest working one. (ie, stick to the old one)

Btw, could you kindly shared the scrip how you add the newly generated one to personal store? I have to manually add it every time. :roll:

Thanks.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Btw, do you know the answer to my post in https://mailenable.com/forum/viewtopic.php?f=7&t=43920

"how to integrate WIN-ACME with Let's Encrypt automation for this situation is another difficult one."

You've mentioned generate 100 certs instead of one, but I wonder if you know the answer to my question of insisting using just 1 SAN 100 domain cert, then how do I proceed? (ie, how to integrate WIN-ACME for 101-200 certificate on the webmail IIS instance?)

The reason I am hesitate to generate 100 certs is because I may need to manually add 100 to personal store and remove the 100 expired cert later, which is very troublesome.

1.jpg
1.jpg (77.46 KiB) Viewed 23001 times
Last edited by poweredge on Wed Jul 14, 2021 1:52 pm, edited 1 time in total.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

naikmanish wrote:
Tue Jul 13, 2021 6:42 am
Greetings,

I have setup Lets Certify automated SSL certificate generation every 30 days for about 10 odd mail domains I have hosted on our mailenable enterprise server.

The Letscertify client automatically renews the SSL perfectly and stores it in the Certificate store appropriately.

However, Mailenable stops working as soon as the second certificate comes in the certificate store. I was at my wits end because the SSL was fine, the expiry was ok. But Mailenable just would go take the new certificate even when I would go to -> Servers-> Localhost -> SSL Properties and select the correct certificate. I even went ahead and deleted the old certificate, selected the new one, Applied the changes and finally, fully exasperated, rebooted the server. Still no Luck!

I finally made it work doing the following :
-> Servers-> Localhost -> SSL Properties
Select SSL Certificate = '(None)'
Press Apply

Then again
Select SSL Certificate = "Select the appropriate Certificate"
Press Apply

And it starts working perfectly fine.

My questions to Mailenable is :
Is there a way, I can do the above using command-line or PowerShell ?

I ask so, that as soon as Let'sCertify generates a new certificate, I can run a command line which will apply an SSL with the None 'Parameter', and then select the correct certificate and Apply again, to make everything work perfectly.

Thank you

Manish Naik
I re-read your post again, I would say Apply-ReApply works may highly indicate there is a bug in ME as I've encountered the same thing in PO property, and confirmed by ME's Ian previously. In my case, I have to use uncheck a feature, then apply, then check, then re-apply in order for it to work.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Hi Ian, may be you can look into this particular issue that Apply-Reapply worked may indicate a bug, thanks.

naikmanish
Posts: 24
Joined: Tue Aug 01, 2017 9:31 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by naikmanish »

Greetings Poweredge,

So sorry for the late response. Apologies. I was swarmed with too much. This work from home thing is going to start taking its toll on all of us!

Ok here goes.

Most of your queries could be solved by using a single tool https://certifytheweb.com/

I have about 18 Websites using SAN.

The above tools if free to use and also has a licensed version. I suppose its free if you are using maybe less than a 100 sites or something.

The above tool does all of the below

1. Automatically generates a certificate using Lets Encrypt every predefined number of days
2. Configures IIS
3. Puts the certificate in the store
4. Can also run a script automatically after it does all of the above. This is where I was thinking to add the Apply/Reapply script if ME has that option of CLI supporting Apply/ReApply for the SSL part.

Hope this helps you.

Once again apologies for the delay

Thank you

Manish Naik

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Thank you very much for the above information.

Btw, Are you using the paid version? As the free community edition only supports up to 5 SSLs.

"Certify The Web has a free Community Edition which is limited to 5 managed certificates and intended for evaluation only. This limit may vary across updates and is designed to provide a free way for individuals and hobbyists to use the app and for commercial evaluation and testing. You can upgrade to licensed version (which includes access to the support helpdesk email) at https://certifytheweb.com/register - you will then receive a license key."

naikmanish
Posts: 24
Joined: Tue Aug 01, 2017 9:31 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by naikmanish »

Greetings Poweredge,

Glad I could be of help and hope it works for you too.

Yes. I am using the free version. My number of sites on the server is limited to 10-12 sites. And I am using a SAN for in essence, I am only using one managed certificate. So the free thing works for me.

However, I believe you will face the exact same problem as I am, if you are going to use it for mailenable. To make sure that its not endemic to that one particular server, I deployed it on two additional MailEnable servers, which I implemented using the evaluation version and attaching a domain to them. The problem persists.

So unless, I can have some command-line, CLI, Powershell, script which can do that 'None' and Apply and then reapply the new certificate, I am still in a fix.

In case you use this and end up finding an answer to the above, do let me know please.

Thank you

Manish Naik

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Thanks for your help.

Yes, 5 SSL certificates also includes the scenario of 5 SAN SSL certificates which can contains up to 500 domains. (ie, each SAN contains 100 domains for LetsEncrypt)

I will see if I can solve the Exact Problem that you have and report back to here.

Currently, I am still using the default ACME command line tools instead install that software you mentioned as I always believe adding less can simplified the problem that may raise.

Anyway, I shall get back to you on this for sure.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

naikmanish wrote:
Tue Jul 20, 2021 11:45 am
Greetings Poweredge,

So sorry for the late response. Apologies. I was swarmed with too much. This work from home thing is going to start taking its toll on all of us!

Ok here goes.

Most of your queries could be solved by using a single tool https://certifytheweb.com/

I have about 18 Websites using SAN.

The above tools if free to use and also has a licensed version. I suppose its free if you are using maybe less than a 100 sites or something.

The above tool does all of the below

1. Automatically generates a certificate using Lets Encrypt every predefined number of days
2. Configures IIS
3. Puts the certificate in the store
4. Can also run a script automatically after it does all of the above. This is where I was thinking to add the Apply/Reapply script if ME has that option of CLI supporting Apply/ReApply for the SSL part.

Hope this helps you.

Once again apologies for the delay

Thank you

Manish Naik
Now I really think that Apply/ReApply Worked is actually a bug in your v10.34 (your version?)

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Report back a similar issue that's I've encountered today, I think it's related to Let's Encrypt and not much MailEnable.

About one hour ago, Let's Encrypt win-acme scheduled task automatically renewed the previously installed SAN certificates with success.

This is the email that I've received

Information - Renewing certificate for "[IIS] MailEnable WebMail, (any host)"
Information - Committing 9 "https" binding changes to IIS
Information - Uninstalling certificate from the certificate store
Information - Removing certificate "[IIS] MailEnable WebMail, (any host) @ 2021/6/12 20:14:00" from store "WebHosting"
Information - Next renewal scheduled at "2021/10/1 9:35:35"
Information - Renewal for "[IIS] MailEnable WebMail, (any host)" succeeded

Then I manually Removed the old SAN certificate from Personal Store.

Next manually Copy the new cert from WebHosting to Personal (AHHHH! You will see)

And everything related to TLS are not working (IMAP/SMTP)

Since I've configured the TLS/SSL almost 2 months ago, so I forgot 50% of the procedures already.

Trouble shooting;
1. Telnet to mail.domain.com 587, and STARTTLS doesn't work, returns with error
454 TLS not available due to temporary reason
Found the answer https://www.mailenable.com/kb/content/article.asp?ID=ME020561

2. Then I realize I forgot to do grand IME_SYSTEM full access to the certificate in Personal store.
"Expand the Personal->Certificates branch to list your certificates. Right click the certificate you are going to use and select All Tasks->Manage Private Keys."
https://www.mailenable.com/kb/content/article.asp?ID=ME020479

3. Tried to Click on Manage private keys > "no keys found for certificate" WHAT? , Copied once more, same result
Something must be corrupted.

Now I am stuck and phones from clients are starting to ringing, ignore them, pls just let me finished the troubleshooting :lol:

4. So I've decided to do it all over again by re-creating Let's Encrypted SAN cert, first removed the old ones from Personal and WebHosting Store, then following the create ssl instruction of win-acme, done in 10 seconds. Copy the recreated cert from WebHosting to Personal store, Da Da....now Manage private keys DOES give me the option to add IME_SYSTEM!!! BUT WHY??? :roll:

5. Checked again, still doesn't work :oops: , so I've restarted all the ME services, and it's working perfectly again! :P

naikmanish/IAN, do you think it's related to naikmanish's original question as he's also facing the similar Not Working problem after Let's Encrypted renewed the certificate, he's using certifytheweb GUI, and I am using the command line tools win-acme.

Couldor it be an issue with how Mailenable handling the newly renewed certificate or could it be a bug with v10.34 with Let's Encrypt?
Last edited by poweredge on Sat Aug 07, 2021 5:20 pm, edited 2 times in total.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

naikmanish wrote:
Tue Jul 13, 2021 6:42 am
Greetings,

I have setup Lets Certify automated SSL certificate generation every 30 days for about 10 odd mail domains I have hosted on our mailenable enterprise server.

The Letscertify client automatically renews the SSL perfectly and stores it in the Certificate store appropriately.

However, Mailenable stops working as soon as the second certificate comes in the certificate store. I was at my wits end because the SSL was fine, the expiry was ok. But Mailenable just would go take the new certificate even when I would go to -> Servers-> Localhost -> SSL Properties and select the correct certificate. I even went ahead and deleted the old certificate, selected the new one, Applied the changes and finally, fully exasperated, rebooted the server. Still no Luck!

I finally made it work doing the following :
-> Servers-> Localhost -> SSL Properties
Select SSL Certificate = '(None)'
Press Apply

Then again
Select SSL Certificate = "Select the appropriate Certificate"
Press Apply

And it starts working perfectly fine.
On the 3rd look, that I just realized that you might not have manually added/enabled the permission for IME_SYSTEM for your renewed SSL cert in Personal Store.

Btw, Does certifytheweb software have the ability to actually set/add/modify the permission for IME_SYSTEM?
1. Automatically generates a certificate using Lets Encrypt every predefined number of days
2. Configures IIS
3. Puts the certificate in the store
4. Can also run a script automatically after it does all of the above. This is where I was thinking to add the Apply/Reapply script if ME has that option of CLI supporting Apply/ReApply for the SSL part.
Finally, since we still need to manually set the permission for ssl cert in personal store, so it wise to make a SAN cert that contains 100 domains, instead of 100 individual domain ssl cert. As it's mission impossible to manually add the permission of IME_SYSTEM every time when ssl got renewed. (or again does certifytheweb add the permission for IME_SYSTEM for you as well)

Hi Ian, Anything to add to this topic please?

Many thanks again.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Hello Ian, could you kindly look into this issue please?

Seems ME doesn't pickup the renewed SSL automatically somehow in v10.34 (maybe also in v10.35).

Thanks.

Post Reply