Problem with LetsEncrypt and SmarterMail 16
Question asked by Eddie Seasholtz - July 5, 2017 at 2:59 AM
Answered
I'm trying to setup Let'sEncrypt-win-simple with SmarterMail 16. SmarterMail 16 is using IIS on a Windows Server 2012 R2 server.
 
So I run the letsencrypt program and it creates the .well-known/acme-challenge folder under the MRS folder like I would expect, and it drops the challenge file in it like it's supposed to. However, the LetsEncrypt server can't read the file.
 
So I start looking around and I find that every subfolder and file that I create inside the MRS folder for SmarterMail generates a prompts for a login and gives a 401 error if I try to access it via browser. And if I put in a valid Smartermail login when prompted, it accepts the credentials and gives a bad request error.
 
For the life of me, I have not been able to figure where SmarterMail is intercepting the site in IIS and using Smartermail to authenticate for the folder that Let'sEncrypt creates.  If I drop a test file in the ./interface/ folder, the file can be read just fine using the anonymous IIS access.
 
Anyone have any thoughts on where I'm not looking in the right place to make the letsencrypt challenge file accessible from the outside?
 
Thanks,
 
Eddie
 

14 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Make sure the new folders are giving then right permissions. I've included a couple links for reference.

https://stackoverflow.com/questions/11162430/401-unauthorized-on-a-directory
Could also try looking at the accepted answer on this post as well.
 
Let me know if these don't work maybe there is something else that can be done.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
5
kevind Replied
How about baking Let's Encrypt right into SmarterMail, just like ClamAV, SpamAssassin, etc.?  This would make it easier for admins to get it working without all the technical issues.
 
3
Alex B Replied
Marked As Answer
I found that this was related to the SMWebDAVModule

If you disable the module / remove it from web.config then you'll be able to generated that .well-known and finish the challenge. 

I decided to write a script that switches between 2 instances on IIS. The script stops an IIS instance of "SmarterMail" and starts the “SMRenewal" instance. Both have the same bindings. It then runs the letsencrypt --renew script that will add the necessary encrypted files that can then be queried over port 80 from letsencrypts server. After authenticating the files, the instance "SMRenewal" is stopped and "SmarterMail" is started again.  It does take down the mail server but only for about 30 seconds. 

Hope this helps.
0
echoDreamz Replied
Wish their was a better solution. Taking our SM down for 30 seconds will cause about ~1000 tickets, 100 live chats and and just as many calls...

Christopher

0
Ronald Carter Replied
This worked perfectly for me thanks
2
Matt Petty Replied
Employee Post
Hello, I will add an exception into our WebDAV handler to allow that URL to pass through it. This will atleast allow the use of LetsEncrypt without having to affect server uptime and can be performed while its running.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
This exception has been added to SmarterMail 16 now, I will also migrate this to SmarterMail 15. You should see these in place next update.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
[FIXED] LetsEncrypt http-01 verification challenges will no longer be intercepted by WebDAV. Certs Ahoy!
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Eddie Seasholtz Replied
Alex, I wanted to come back and say THANK YOU! That was right on point and was exactly the info I needed to get let's encrypt working. It was definitely the SMWebDAVModule that was intercepting it. I REALLY appreciate it! Thank you again!
0
echoDreamz Replied
Has anyone tested if the Let's Encrypt certs would work for IMAP, POP, SMTP and the likes?

Christopher

0
Matt Petty Replied
Employee Post
They should, aren't they just standard certificates? I have not tested it. I've done Let's Encrypt stuff on my other personal projects and had no issues with it. But they were not protocol related. I'm sure Alex can let us know if he has any issues. We also haven't gotten any tickets or reported problems and I've talked to Von and I don't think he mentioned any issues as well.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
echoDreamz Replied
I figured they would, I just did not know if Let's Encrypt had some "These are for securing websites only" type clause.

Christopher

0
Cuinn Wylie Replied
Matt,

Normally I just read the forums. I really wanted to say thanks for this change though. You just made my life easier.

I've been changing the IIS site path and running the LetsEncrypt process, then switching back so far. This will be a huge improvement.

Regards.
0
Alex B Replied
I don't come to the forums often but I'm glad I did on that day. Glad I could help!

Reply to Thread