Autogenerated SSL using LetsEncrypt and Mailenable Issue

[MailEnable-Ian]

Hi,

If you renew the certificate and a new one is generated in the certificate store MailEnable does not know about this and yes you need to manually select it in the SSL dropdown list and ensure to restart all the MailEnable services.

[poweredge]

Hi,

If you renew the certificate and a new one is generated in the certificate store MailEnable does not know about this and yes you need to manually select it in the SSL dropdown list and ensure to restart all the MailEnable services.

Many thanks again.

That means we just have to manually do it every 3 months.

1. Select the renewed certificate
2. Restart all ME services

[ShawnKHall]

That means we just have to manually do it every 3 months.

Actually, while the certificates are created for 3 months, you're supposed to renew them 30 days early, so you should do it every two months.

As for copying them to the Personal store, this powershell script will do that for you:

Code: Select all

$mypwd = ConvertTo-SecureString -String 'CHANGEME' -Force -AsPlainText;
Get-ChildItem -Path cert:\localMachine\WebHosting | 
where {($_.NotAfter -gt (GET-DATE))} | 
foreach {
	$pfxpath="Q:\CHANGEME\$($_.Thumbprint).pfx";
	echo "Exporting '$($_.Subject)' to '$pfxpath'";
	Export-PfxCertificate -cert $_ -Force -FilePath $pfxpath -Password $mypwd;
	Import-PfxCertificate -CertStoreLocation cert:\localMachine\My -FilePath $pfxpath -Password $mypwd;
}

Be sure to change the password and temporary export path.

Permissions might still be a problem, but I'm sure that can be resolved automatically, too.

[poweredge]

That means we just have to manually do it every 3 months.

Actually, while the certificates are created for 3 months, you're supposed to renew them 30 days early, so you should do it every two months.

As for copying them to the Personal store, this powershell script will do that for you:

Code: Select all

$mypwd = ConvertTo-SecureString -String 'CHANGEME' -Force -AsPlainText;
Get-ChildItem -Path cert:\localMachine\WebHosting | 
where {($_.NotAfter -gt (GET-DATE))} | 
foreach {
	$pfxpath="Q:\CHANGEME\$($_.Thumbprint).pfx";
	echo "Exporting '$($_.Subject)' to '$pfxpath'";
	Export-PfxCertificate -cert $_ -Force -FilePath $pfxpath -Password $mypwd;
	Import-PfxCertificate -CertStoreLocation cert:\localMachine\My -FilePath $pfxpath -Password $mypwd;
}

Be sure to change the password and temporary export path.

Permissions might still be a problem, but I'm sure that can be resolved automatically, too.

Thanks Shawn, Yes, Every 2 months, that's kind of....well...ok, considering 6 times per year

Btw, the original post owner said you can use certifytheweb.com to automatically export the cert to Personal Store, but how to set the Permission (IME_SYSTEM) I am not sure about if it's capable of doing it.

[ShawnKHall]

Permissions should be able to be handled by something like this.
https://stackoverflow.com/questions/40046916/

[Matth]

I am struggling with this as well. I do have WIN-ACME getting the certs just perfectly fine, renewing them, deleting the old ones, but every time Mailenable stops working and I first have to manually stop the services, unselect the cert, start, stop, select the new one (which was already selected in the first place) and restart the services.

This can't really be a solution, no? Is there no way that Mailenable can't provide a solution to automatically renew the certs, or integrate with a working solution? I'm quite puzzled that this should be so difficult.

[poweredge]

Hi Ian, any tips or improvement could be added? Thanks

[Scotty75]

Is there already a solution to this problem? Once again, I missed to reselect the certificate in the dropdown and had several customers call me. An automated solution would be really desirable. Or that ME actually uses the new certificate.

[kiamori]

bump,

we're currently using ssls.com because they are the cheapest for yearly SSL renewals but would be happy to switch to let's encrypt for automation and a lot of talk about making 90 days the new norm I think Mailenable needs to revamp the cert management solution, perhaps just integrate let's encrypt right into ME?

[geotek]

The lack of certificate renewal support of Mailenable is really annoying. We gave up on trying to find a scripted solution for automatic Letsencrypt renewal and revert to a manual procedure of renewing certificates.

For an email system that calls itself "Enterprise ready", I find a very weak image in 2023 not to allow any automatic certificate updates.

[dedicate-it.net]

We had to come up with a custom solution to use Posh-ACME to manage our SSL certificates. We have MailEnable on a Plesk based server, but Plesk and MailEnable did not handle our Autodiscover needs properly - so a custom solution was needed.

We have a script that adds the DNS entries to our MS-DNS via WinRM/Powershell - runs the acme challenges through Posh-ACME, installs the certificates, and updates the IIS Bindings.

We have a separate script that runs as a Scheduled Task that renews the certs and updates the bindings as needed.

CertifyTheWeb has limitations both in it's "scripting" as well as a registration fee if you want to manage more than 5 domains.

The concept takes some time configuring - but has run without a hitch for over 3 years and does not require us to restart ME services ** [EDITED - SEE CAVEAT BELOW ABOUT ME SERVICE RESTART] -- IIS picks up the changes without an issue. The only problem we've had is manually resetting our WinRM SSL certificate so the machines can communicate -- this and initially requesting the first SSL certificate through our scripts was the only manual intervention we needed.

This was running on on a server hosting about 150 domains with mail service and autodiscover. We have since had to move our infrastructure to different software entirely.

[Matth]

Would you mind sharing that script solution? For all that still use this software...

[dedicate-it.net]

Let me add some commenting to it and remove any "proprietary" configuration from it and I'll make it available on Github --

This is what it does at the moment:
Uses Posh-ACME via the DNS method (whatever plugins Posh-ACME supports - we ran Microsoft DNS servers and a couple domains on Cloudflare).
Sets up the DNS records and authorizes/retrieves the certificates.
Installs them into the certificate store, and adds/replaces the bindings for IIS for webmail and autodiscover.
(note: we ran our own autodiscover server rolled in .NET because we create .mobileconfig profiles that are signed for iDevices because they rarely auto-discover properly).

There is a seperate script that processes the renewals as a scheduled task.

Our MailEnable server was never very stable, so the concept of requiring a restart for the new certs to be recognized by ME never showed it's face because we had a different scheduled task that restarted ME's services every couple of days.

I'll package it up and get it up on Github, along with some more notes and so forth. Appreciate your patience while I get it together, and don't hesitate to remind me if I don't revisit this topic soon.

[geotek]

We are using WIN_ACME to automatically renew the Let's Encrypt certificate, but it is an ongoing nightmare. Considering the necessitiy to grant permissions for the private key and restarting all ME services automatically, I think the only reliable solution would be if the certbot functionality is integrated into Mailenable itself.

Are there any plans to do this?