Let's Encrypt with AutoACME HTTP challenge intercepted by SmarterMail
Problem reported by Leo Furze-Waddock - February 10, 2018 at 11:03 AM
Submitted
Sorry, this system doesn't allow me to post hyperlinks. Perhaps it doesn't understand what the world wide web is. I've had to add [ADD HTTPS] or [ADD HTTP] for you to replace.
 
AutoACME configuration relies on the Application Request Routing Cache proxy and setting a global URL Rewrite for all server requests to all domains i.e. [ADD HTTP]*/.well-known/acme-challenge/*
 
AutoACME configuration: [ADD HTTPS]github.com/ridercz/AutoACME/wiki/Getting-started-with-AutoAcme#configure-web-site-for-handling-of-acme-challenges
 
This works really well for issuing and renewing Let's Encrypt SSL certificates for most sites, including SmarterTrack by SmarterTools. However, I've have to shut down the SmarterMail IIS site before running AutoACME, then starting it again, because SmarterMail does not respect the global URL Rewrite.  
 
[ADD HTTP]www.mysmartermail.co.uk/.well-known/acme-challenge/.
 
redirects to;
 
[ADD HTTPS]www.mysmartermail.co.uk/Interface/errors/404.html?aspxerrorpath=/.well-known/acme-challenge/
 
Related post: [ADD HTTPS]portal.smartertools.com/community/a89271/problem-with-letsencrypt-and-smartermail-16.aspx

12 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
What version are you on? This was something we fixed a while ago in SmarterMail 16 and 15.

Version 16.0.6397 (Jul 7, 2017)

  • Fixed: Let's Encrypt http-01 verification challenges are being improperly intercepted by WebDAV.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Leo Furze-Waddock Replied
SmarterMail Enterprise Version - 16.3.6579
 
I assume the difference is you added support for a real physical file, located in the root, but not a 'global' URL rewrite rule as AutoACME uses. 
 
All web requests are proxied by the IIS Application Request Routing module and if a request matches a Let's Encrypt HTTP challenge pattern, IIS URL Rewrite is used to redirect the request to a central local site which hosts a file dynamically generated by AutoACME.
0
Matt Petty Replied
Employee Post
In my testing I was using Certify without issue. When I get some time I can try AutoACME.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Scarab Replied
Matt, just to let you know we started having the same problem in the most recent versions of v16 with Letsencrypt-Win-Simple as well, whereas it did work fine as recently as their last renewal in mid-January (checked the date, Jan 19th was the last time it worked).

We only have 10 certs on SM that we do with Letsencrypt so it's not too much of a biggie to manually request them using alternate methods (like DNS) every 60 days, but it would be nice for the automated renewals in IIS to work as intended like they did between July 2017 - Jan 2018.
0
Jashan Chittesh Replied
Yes, I'm with @Scarab - this issue apparently returned, or a similar one was introduced. We are on SmarterMail Enterprise Version - 16.3.6649, and I use the same configuration for all my domains which includes both regular Websites as well as a SmarterMail Web instance.

To make testing easy, I added a text-file into the folder that I can access via all the sites I have tested. However, when I go through our Webmail site, I get 404.

Before, while I was still on SmarterMail 12, I got an authentication issue. So it may be a different issue now but I believe it's still appropriate to keep this here instead of opening a new thread.
0
Jashan Chittesh Replied
Any updates on this? I have a fairly large amount of different Web applications on my server, and they all work flawlessly with Let's Encrypt using AutoACME - the only exception is SmarterMail. We're still on 16.3.6649 - but the only change I was able to find in the release notes was the one you posted above, which was already in 16.0.6397.
0
Matt Petty Replied
Employee Post
Would it be possible for you to try Certify, if so that can narrow down the issue to a specific letsencrypt client. We use Certify for our smartertools.com servers and we have no problems with it. If we do have an issue with AutoAMCE I can add it to our bugs list.

EDIT: Link, Certify
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Jashan Chittesh Replied
I'd rather not install another letsencrypt client that may potentially mess with our set up.

The issue can actually be reproduced even without installing AutoACME: Follow the instructions in Getting started with AutoAcme that are relevant to the URL-Rewriting. So that would be 1.ii, 1.iii, 2.ii, 2.iii.

Then, for a very simple test to confirm that URLRewriting works as intended, simply put a file test.txt into the folder C:\InetPub\wwwroot\AutoACME (in my case, this is D:\inetpub\wwwroot\AutoACME\AutoACME).

Confirm that the URLRewriting is set up correctly by creating an empty, super-simple site on the server, and try to access:


If that works for you, try doing the same with SmarterMail running on "YourTestSiteDomain", and you'll get a 404. This does not happen with any of my ASP.NET, ASP.NET Core and PHP sites, so it's something that SmarterMail does.

One really nice thing about AutoACME is that it immediately puts out the PFX-files which also work really well with SmarterMail. So I don't even have to type the PowerShell script that is included as image on Securing SmarterMail With Let's Encrypt

The only problem is that SmarterMail breaks the URL-Rewriting that is required for AutoACME. Ironically, we have one domain where we only use POP/SMTP/IMAP with SSL, using Let's Encrypt and it works just fine. Only the one domain where we also have the Web-Interface of SmarterMail running gives us trouble because the Web-app breaks the URL-Rewriting.
0
echoDreamz Replied
Same here, we use Certify with SM 17 and have no issues with it either.

Christopher

0
Steven Belsha Replied
Not to be nit-picky Leo, but the system does allow hyperlinks as evidenced by some of the reply's to your post.  I'm not sure what is going on on your end, but perhaps your hyperlinks are being pasted as "text" not a true Hyperlink.

Steve
1
Colin M Replied
I just setup Certify and it works great. I found SmarterTools' blog post after I started setting it up and found the blog post to make it harder than necessary. Certify will let you specify a Power Shell script to execute post-renewal which already gets a PFX file. Here is my post-renewal script:

param($result)

if ($result.IsSuccess) {
   # Apply certificate for RDP
   wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$($result.ManagedItem.CertificateThumbprintHash)"

   # Copy to location for SmarterMail
   Copy-Item $result.ManagedItem.CertificatePath -Destination "C:\ssl\letsencrypt.pfx"
}
The pfx password is empty.

Restarting SmarterMail is not ideal. Does anyone know if it is necessary? Does SmarterMail reload certificates periodically already? I'm not referring to IIS, but rather the SmarterMail ports like IMAP, SSL, etc.

EDIT: Removed auto-restart from post-renewal script.
2
echoDreamz Replied
SM loads the certificates from file on each connection, there is no need to recycle it.

Christopher

Reply to Thread