Problem with LetsEncrypt and SmarterMail 16

Question asked by Eddie Seasholtz - 7/5/2017 at 2:59 AM

Answered

I'm trying to setup Let'sEncrypt-win-simple with SmarterMail 16. SmarterMail 16 is using IIS on a Windows Server 2012 R2 server.

So I run the letsencrypt program and it creates the .well-known/acme-challenge folder under the MRS folder like I would expect, and it drops the challenge file in it like it's supposed to. However, the LetsEncrypt server can't read the file.

So I start looking around and I find that every subfolder and file that I create inside the MRS folder for SmarterMail generates a prompts for a login and gives a 401 error if I try to access it via browser. And if I put in a valid Smartermail login when prompted, it accepts the credentials and gives a bad request error.

For the life of me, I have not been able to figure where SmarterMail is intercepting the site in IIS and using Smartermail to authenticate for the folder that Let'sEncrypt creates. If I drop a test file in the ./interface/ folder, the file can be read just fine using the anonymous IIS access.

Anyone have any thoughts on where I'm not looking in the right place to make the letsencrypt challenge file accessible from the outside?

Thanks,

Eddie

16 Replies

Reply to Thread

Matt Petty Replied

7/5/2017 at 7:21 AM

Employee Post

Make sure the new folders are giving then right permissions. I've included a couple links for reference.

https://stackoverflow.com/questions/11162430/401-unauthorized-on-a-directory
Could also try looking at the accepted answer on this post as well.

https://serverfault.com/questions/104585/iis-doesnt-serve-certain-file-extensions

Let me know if these don't work maybe there is something else that can be done.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

kevind Replied

7/5/2017 at 11:18 AM

How about baking Let's Encrypt right into SmarterMail, just like ClamAV, SpamAssassin, etc.? This would make it easier for admins to get it working without all the technical issues.

See more discussion and vote here: https://portal.smartertools.com/community/a88373/ssl-sni.aspx

Alex B Replied

7/5/2017 at 12:43 PM

Marked As Answer

I found that this was related to the SMWebDAVModule

If you disable the module / remove it from web.config then you'll be able to generated that .well-known and finish the challenge.

I decided to write a script that switches between 2 instances on IIS. The script stops an IIS instance of "SmarterMail" and starts the “SMRenewal" instance. Both have the same bindings. It then runs the letsencrypt --renew script that will add the necessary encrypted files that can then be queried over port 80 from letsencrypts server. After authenticating the files, the instance "SMRenewal" is stopped and "SmarterMail" is started again. It does take down the mail server but only for about 30 seconds.

Hope this helps.

echoDreamz Replied

7/5/2017 at 9:30 PM

Wish their was a better solution. Taking our SM down for 30 seconds will cause about ~1000 tickets, 100 live chats and and just as many calls...

Ronald Carter Replied

7/6/2017 at 4:23 AM

This worked perfectly for me thanks

Matt Petty Replied

7/6/2017 at 7:33 AM

Employee Post

Hello, I will add an exception into our WebDAV handler to allow that URL to pass through it. This will atleast allow the use of LetsEncrypt without having to affect server uptime and can be performed while its running.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Matt Petty Replied

7/6/2017 at 7:44 AM

Employee Post

This exception has been added to SmarterMail 16 now, I will also migrate this to SmarterMail 15. You should see these in place next update.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Matt Petty Replied

7/6/2017 at 7:54 AM

Employee Post

[FIXED] LetsEncrypt http-01 verification challenges will no longer be intercepted by WebDAV. Certs Ahoy!

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Eddie Seasholtz Replied

7/6/2017 at 9:15 AM

Alex, I wanted to come back and say THANK YOU! That was right on point and was exactly the info I needed to get let's encrypt working. It was definitely the SMWebDAVModule that was intercepting it. I REALLY appreciate it! Thank you again!

echoDreamz Replied

7/6/2017 at 9:50 AM

Has anyone tested if the Let's Encrypt certs would work for IMAP, POP, SMTP and the likes?

Matt Petty Replied

7/6/2017 at 9:55 AM

Employee Post

They should, aren't they just standard certificates? I have not tested it. I've done Let's Encrypt stuff on my other personal projects and had no issues with it. But they were not protocol related. I'm sure Alex can let us know if he has any issues. We also haven't gotten any tickets or reported problems and I've talked to Von and I don't think he mentioned any issues as well.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

echoDreamz Replied

7/6/2017 at 10:08 AM

I figured they would, I just did not know if Let's Encrypt had some "These are for securing websites only" type clause.

Cuinn Wylie Replied

7/6/2017 at 2:57 PM

Matt,

Normally I just read the forums. I really wanted to say thanks for this change though. You just made my life easier.

I've been changing the IIS site path and running the LetsEncrypt process, then switching back so far. This will be a huge improvement.

Regards.

Alex B Replied

7/20/2017 at 2:00 PM

I don't come to the forums often but I'm glad I did on that day. Glad I could help!

Vivio Technologies Replied

2/2/2022 at 12:36 PM

Did the exception get removed from the "SMWebDAVModule" module in the more recent versions of Smartermail? I have a server on Build 7957 (Oct 14, 2021) and I am getting the exact same behavior that started this post.

Ryan Smith Replied

2/8/2022 at 2:44 PM

Echoing what Vivio Technologies has said. I am getting an error now as well. On build 8025.

Back to Community Threads

Please leave this box unchecked

16 Replies

Reply to Thread

Tags

Related Knowledge Base Articles