Try this tool to see whats going on, I suspect your export of the ssl is incorrect

https://www.checktls.com/TestReceiver 

Hi Jade

Thx for your support.

Here is the output, I guess the problems is "Cannot convert to SSL (reason: SSL wants a read first)". This server does not support SSL, just TLS.

Anything I can do to make this work?

Hey Franz

There may be an answer for you within this thread

https://portal.smartertools.com/community/a1268/tls-issue.aspx 

Hi again,

Yes, I saw this thread before, but as I mentioned in my original post:

    I double checked the LE cert and it says "You have a private key" for the cert.

The certificate is OK, so is the complete chain. AFAIK we do not have a private key for any root CA.

The solution in the mentioned thread was "...turned out the root cert did not include the private key on the server,". What does that mean exactly?

Thank you very much for your kind effort.

Franz

Hi Jade D

I just opened a support ticket at Smartertools.

Thank you for taking time to help me in this matter.

Franz

For future reference, I have seen similar issues like this when multiple copies of the exported certificate end up bound to the Windows Certificate Store. You can check into this by opening certificates.msc and navigating to the Personal section. If this issue is affecting you you'll have multiple copies of your certificate present. I believe this occurs when Windows Certificate Store and the private key get out of sync. I recommend cleaning out the existing certificates and re-requesting a certificate be issued through LetsEncrypt. Once you have that you can export to PFX again and bind this to your ports. Let me know how it goes!

Hi Kyle

That was not the case here at all. It was a brand new server and there was only 1 certificate present. AFAIS it has no impact in which store the certificate is located. I tried it from "Personal" with a new certificate as well to no avail. Changing to PFX resolves everthing.

I use LE certs and their certificates went into the "Web Hosting" store here, which is "WebHosting" (without the space) when referenced from within a powershell script, btw. 

Here is a powershell script that we use for automation and that works like a charm, although the certificate is not located in "My" ("Personal"):

$mypwd = ConvertTo-SecureString -String "mysecretpassword" -Force -AsPlainText
$thumprint = (Get-ChildItem -Path Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -match "CN=mail.example.com"}).Thumbprint
Get-ChildItem -Path cert:\localMachine\WebHosting\$thumprint | Export-PfxCertificate -FilePath "C:\SmarterMail\Certificates\mail.example.com.pfx" -Password $mypwd

This will export the certificate along with all extentions, the complete chain and the private key (secured by a password) to the location where SM picks it up (port bindung -> certificate location). No problems so far.

Franz

Thanks Franz, glad to hear you got to the bottom of this, and I appreciate you sending along the LE script you've put together. I see where this differs from the one we had documented in our LE blog post, so I'm going to implement this on some of my test systems and see if I no longer run into these issues with lost private keys and duplicates. Thanks again, the follow up is appreciated. Have a great rest of your week.

This absolutely was the solution on my 15.7 install. Thank you!

In latest build (7188), I solved this issue by using the PFX file to install the certificate with key into the default (Personal) store for Local Computer (not Current User). It was already installed in the Web Hosting store, but SmarterMail didn't find it there.

Regarding Let's Encrypt, what is the best way to handle the auto-renewal process? I'm not sure if there's any way to avoid manual steps to update SmarterMail for every renewal. If not, my suggestion would be an option for SmarterMail to automatically use the same certificate that is used on the IIS site.

Brett: You can use a powershell script like the one I posted before to get the certificate in pfx format to the location where Smartermail picks it up. This script can easily be automated with the taskmanager. Have it run once a week and you should be fine.

Good luck,

Franz