SmarterMail gives system administrators the ability to manage the SSL certs assigned to various domains that are being hosted by SmarterMail by navigating to Settings -> SSL Certificates.
Certificates can be acquired from any qualified Certifying Authority (e.g., Digicert) then manually added to a SmarterMail domain. In cases like this, where administrators acquire SSL certs outside of SmarterMail, those certificates are displayed on the Certificates tab.
Certificates can also be automatically generated by SmarterMail using the included Certifying Authority(-ies), such as Let's Encrypt. This is, by far, the simplest way to manage SSL for SmarterMail domains as it's all contained within SmarterMail. Automated certificates can be found on the Automatic Certificates tab.
In order to use SmarterMail's automatic certificates, a few things need to be understood:
- Hostnames MUST be pointed at the SmarterMail server using an A record in DNS. If not, the hostname will be inaccessible over the internet, and a certificate cannot be issued.
- Hostnames must be routable, top level domains. (I.e., not local domains, etc.)
- HTTP binding MUST be present in IIS and configured to land on the SmarterMail web interface. This will occur automatically when domains are added to SmarterMail.
- Nothing can intercept HTTP requests on any hostname. This includes having something like Ceritfy the Web installed, which allows administrators to generate Let's Encrypt SSL certificates outside of SmarterMail, or any other proxy. If Certify the Web is installed, or if any other proxies are being used, they must be removed prior to using SmarterMail's automatic certificates.
Automatic Certificate Status Codes
The status of automatic certificates can be varied, depending on whether the cert is Active or if there are issues. SmarterTools makes the status codes as verbose as possible so you know exactly what an issue is. Below are the various short and long descriptions (where applicable) that can be seen for each hostname when viewing the Automatic Certificates tab.
- Active - Certificate was generated and is working properly.
- Disabled - Certificate was disabled by a system administrator.
- Certificate was generated but has binding errors - Certificate was generated but could not be bound to the web interface.
- Certificate has been deactivated - Certificate has been deactivated. Please generate a new one.
- Certificate has expired - Certificate has expired. Please generate a new one.
- Domain validation has failed - Domain validation has failed. Please ensure that the hostname is accessible through HTTP from the internet.
- Inaccessible through HTTP - The hostname for this site is not bound to this SmarterMail instance when navigating to it through HTTP. This is necessary to verify ownership for the certificate.
- Domain validation is pending - Domain validation is pending. This may take a few minutes.
- Certificate has been revoked - Certificate has been revoked. Please generate a new one.
- Generating certificate - Domain validation has completed and your certificate will be generated shortly.
NOTE: This status may be present if Certify the Web is installed on the server, or if there are any other proxies intercepting the SSL generation process. If this status is shown for an extended period of time (e.g., 30 minutes or more), ensure nothing is intercepting the SSL generation status. - Certificate has no private key
- Invalid Password - Certificate cannot be loaded with password provided
- Certificate file cannot be loaded
If there are issues binding the cert to IIS, the following status is displayed:
- Another site is already bound to the same hostname, so SmarterMail cannot automatically add the binding.
- Automatic binding is not supported on this server operating system.
- An error occurred applying the website binding. Refer to the administrative log file for more information.
- Cannot find the website that is bound to your MRS folder.
- Cannot find the MRS folder in your installation path.