Autogenerated SSL using LetsEncrypt and Mailenable Issue

Discussion forum for Enterprise Edition.
MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by MailEnable-Ian »

Hi,

If you renew the certificate and a new one is generated in the certificate store MailEnable does not know about this and yes you need to manually select it in the SSL dropdown list and ensure to restart all the MailEnable services.
Regards,

Ian Margarone
MailEnable Support

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

MailEnable-Ian wrote:
Sun Aug 15, 2021 11:38 pm
Hi,

If you renew the certificate and a new one is generated in the certificate store MailEnable does not know about this and yes you need to manually select it in the SSL dropdown list and ensure to restart all the MailEnable services.
Many thanks again.

That means we just have to manually do it every 3 months.

1. Select the renewed certificate
2. Restart all ME services

ShawnKHall
Posts: 113
Joined: Wed Apr 06, 2005 12:03 am
Location: California, USA
Contact:

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by ShawnKHall »

poweredge wrote: That means we just have to manually do it every 3 months.
Actually, while the certificates are created for 3 months, you're supposed to renew them 30 days early, so you should do it every two months.

As for copying them to the Personal store, this powershell script will do that for you:

Code: Select all

$mypwd = ConvertTo-SecureString -String 'CHANGEME' -Force -AsPlainText;
Get-ChildItem -Path cert:\localMachine\WebHosting | 
where {($_.NotAfter -gt (GET-DATE))} | 
foreach {
	$pfxpath="Q:\CHANGEME\$($_.Thumbprint).pfx";
	echo "Exporting '$($_.Subject)' to '$pfxpath'";
	Export-PfxCertificate -cert $_ -Force -FilePath $pfxpath -Password $mypwd;
	Import-PfxCertificate -CertStoreLocation cert:\localMachine\My -FilePath $pfxpath -Password $mypwd;
}
Be sure to change the password and temporary export path.

Permissions might still be a problem, but I'm sure that can be resolved automatically, too.
-Shawn

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

ShawnKHall wrote:
Tue Aug 24, 2021 5:02 am
poweredge wrote: That means we just have to manually do it every 3 months.
Actually, while the certificates are created for 3 months, you're supposed to renew them 30 days early, so you should do it every two months.

As for copying them to the Personal store, this powershell script will do that for you:

Code: Select all

$mypwd = ConvertTo-SecureString -String 'CHANGEME' -Force -AsPlainText;
Get-ChildItem -Path cert:\localMachine\WebHosting | 
where {($_.NotAfter -gt (GET-DATE))} | 
foreach {
	$pfxpath="Q:\CHANGEME\$($_.Thumbprint).pfx";
	echo "Exporting '$($_.Subject)' to '$pfxpath'";
	Export-PfxCertificate -cert $_ -Force -FilePath $pfxpath -Password $mypwd;
	Import-PfxCertificate -CertStoreLocation cert:\localMachine\My -FilePath $pfxpath -Password $mypwd;
}
Be sure to change the password and temporary export path.

Permissions might still be a problem, but I'm sure that can be resolved automatically, too.
Thanks Shawn, Yes, Every 2 months, that's kind of....well...ok, considering 6 times per year :lol:

Btw, the original post owner said you can use certifytheweb.com to automatically export the cert to Personal Store, but how to set the Permission (IME_SYSTEM) I am not sure about if it's capable of doing it.

ShawnKHall
Posts: 113
Joined: Wed Apr 06, 2005 12:03 am
Location: California, USA
Contact:

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by ShawnKHall »

Permissions should be able to be handled by something like this.
https://stackoverflow.com/questions/40046916/
-Shawn

Matth
Posts: 133
Joined: Fri Nov 08, 2002 8:34 am
Location: Hong Kong

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by Matth »

I am struggling with this as well. I do have WIN-ACME getting the certs just perfectly fine, renewing them, deleting the old ones, but every time Mailenable stops working and I first have to manually stop the services, unselect the cert, start, stop, select the new one (which was already selected in the first place) and restart the services.

This can't really be a solution, no? Is there no way that Mailenable can't provide a solution to automatically renew the certs, or integrate with a working solution? I'm quite puzzled that this should be so difficult.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by poweredge »

Hi Ian, any tips or improvement could be added? Thanks

Scotty75
Posts: 4
Joined: Fri Nov 19, 2010 1:41 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by Scotty75 »

Is there already a solution to this problem? Once again, I missed to reselect the certificate in the dropdown and had several customers call me. An automated solution would be really desirable. Or that ME actually uses the new certificate.

kiamori
Posts: 329
Joined: Wed Nov 04, 2009 1:39 am
Contact:

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by kiamori »

bump,

we're currently using ssls.com because they are the cheapest for yearly SSL renewals but would be happy to switch to let's encrypt for automation and a lot of talk about making 90 days the new norm I think Mailenable needs to revamp the cert management solution, perhaps just integrate let's encrypt right into ME?

geotek
Posts: 6
Joined: Sun Jun 28, 2020 3:17 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by geotek »

The lack of certificate renewal support of Mailenable is really annoying. We gave up on trying to find a scripted solution for automatic Letsencrypt renewal and revert to a manual procedure of renewing certificates.

For an email system that calls itself "Enterprise ready", I find a very weak image in 2023 not to allow any automatic certificate updates.

dedicate-it.net
Posts: 46
Joined: Mon Feb 22, 2021 8:30 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by dedicate-it.net »

We had to come up with a custom solution to use Posh-ACME to manage our SSL certificates. We have MailEnable on a Plesk based server, but Plesk and MailEnable did not handle our Autodiscover needs properly - so a custom solution was needed.

We have a script that adds the DNS entries to our MS-DNS via WinRM/Powershell - runs the acme challenges through Posh-ACME, installs the certificates, and updates the IIS Bindings.

We have a separate script that runs as a Scheduled Task that renews the certs and updates the bindings as needed.

CertifyTheWeb has limitations both in it's "scripting" as well as a registration fee if you want to manage more than 5 domains.

The concept takes some time configuring - but has run without a hitch for over 3 years and does not require us to restart ME services ** [EDITED - SEE CAVEAT BELOW ABOUT ME SERVICE RESTART] -- IIS picks up the changes without an issue. The only problem we've had is manually resetting our WinRM SSL certificate so the machines can communicate -- this and initially requesting the first SSL certificate through our scripts was the only manual intervention we needed.

This was running on on a server hosting about 150 domains with mail service and autodiscover. We have since had to move our infrastructure to different software entirely.
Last edited by dedicate-it.net on Mon Sep 04, 2023 4:22 am, edited 1 time in total.

Matth
Posts: 133
Joined: Fri Nov 08, 2002 8:34 am
Location: Hong Kong

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by Matth »

Would you mind sharing that script solution? For all that still use this software...

dedicate-it.net
Posts: 46
Joined: Mon Feb 22, 2021 8:30 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by dedicate-it.net »

Let me add some commenting to it and remove any "proprietary" configuration from it and I'll make it available on Github --

This is what it does at the moment:
Uses Posh-ACME via the DNS method (whatever plugins Posh-ACME supports - we ran Microsoft DNS servers and a couple domains on Cloudflare).
Sets up the DNS records and authorizes/retrieves the certificates.
Installs them into the certificate store, and adds/replaces the bindings for IIS for webmail and autodiscover.
(note: we ran our own autodiscover server rolled in .NET because we create .mobileconfig profiles that are signed for iDevices because they rarely auto-discover properly).

There is a seperate script that processes the renewals as a scheduled task.

Our MailEnable server was never very stable, so the concept of requiring a restart for the new certs to be recognized by ME never showed it's face because we had a different scheduled task that restarted ME's services every couple of days.

I'll package it up and get it up on Github, along with some more notes and so forth. Appreciate your patience while I get it together, and don't hesitate to remind me if I don't revisit this topic soon.

geotek
Posts: 6
Joined: Sun Jun 28, 2020 3:17 pm

Re: Autogenerated SSL using LetsEncrypt and Mailenable Issue

Post by geotek »

We are using WIN_ACME to automatically renew the Let's Encrypt certificate, but it is an ongoing nightmare. Considering the necessitiy to grant permissions for the private key and restarting all ME services automatically, I think the only reliable solution would be if the certbot functionality is integrated into Mailenable itself.

Are there any plans to do this?

Post Reply