Changing Port Certs requires restart of SM Service.
Problem reported by J Lee - 7/2/2020 at 8:19 AM
Submitted
Hi Guys

Changing Port Certs requires a restart of SM Service.

I don't remember this being like this. 

FYI do not change your port certificate during normal operation hours.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

8 Replies

Reply to Thread
1
FrankyBoy Replied
Hello, I experienced the same situation a few days ago with version 7482. Like J Lee's comment, I cannot confirm whether with previous versions we should restart the service or not. For years, we had only one certificate on the main domain and we instructed our customers to use this domain name as the server address.

But lately, with the implementation of MAPI and for ease of activation of accounts in client software using Autodiscover such as Outlook, it is preferable to activate certificates on each of the domains. So we started using a Let's encrypt SAN certificate and it has worked very well so far. However, I haven't added other domains since the initial installation a few days ago, so I haven't re-exported the certificate, so I don't know whether to restart Everytime.

On the other hand, if it is the case and that it will be necessary to restart the service following a modification of version of the certificate, that means that each time that we add a domain in our SAN certificate, this will oblige us to make a restart of Smartermail, and this is not desirable, because we will have to do it every night to avoid interrupting the service.

* Note to the Smartertools team: can you confirm that this is the case and that it is completely normal or is it not supposed to be the case?

Thank you Guys!
1
FrankyBoy Replied
Update: Tonight, I added additional domain names to our SAN certificate and overwritten the certificate that was already in production. After validation, I did NOT have to restart Smartermail. The new domain names added are functional and respond on secure ports as expected.

I put forward a hypothesis: maybe who if I had to restart Smartermail the first time, it is perhaps that I had passed from a wildcard certificate to a SAN certificate, and which in addition was not from the same certification authority? Note: Before doing this test, I also updated from version 7482 to version 7488.

@J Lee : Did you also change the type of certificate (or certification authority) before being forced to restart Smartermail?
0
J Lee Replied
Hi Francis

I switched from *. Wild card to *. Wild card, but change the cert assigned to the port from .cer to .pfx.

Did you export the cert and assign the new cert to each SSL/TLS port?

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

0
Karl Jones Replied
I didn't think the new Smartermail could use .pfx for port certificates, it always failed when i tried.
Just for everyones info. CertifytheWeb (LetsEncrypt) have an app that you can use to create and deploy the LetsEncrypt certificates and the newest release version will now deply those certificate to IIS, exchange, Apache or just extract and copy the .cer to a folder of your choice making the whole process of IIS domain and port deployment now automatic.

1
echoDreamz Replied
@Karl, we've used a pfx file for many many many years without issues.
1
Sébastien Riccio Replied
Same, we use pfx certs on SmarterMail without issues
Sébastien Riccio
System & Network Admin

0
J Lee Replied
A further update to this. If you change any binding in IIS, like adding a new ip and ssl cert to a new domain so MAPI will work in Outlook Desktop. This will take all ports on the server down, and you will need to restart Smartermail Service and boot all your users out, to get the email server back up.

SmarterMail_7488
IIS Ver 8.5.9600.16384

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

0
echoDreamz Replied
J Lee, I've never experienced this...

Reply to Thread