4
How to use Letsencrypt SSL certificate to secure imap/pop server?
Question asked by Juan Lai - 8/27/2020 at 12:08 AM
Unanswered
Hello All,

  I already read this KB https://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx and found it seems not work if I am using Letsencrypt SSL. The password authentication always failed. 

  And is there any way to auto-renew every 3 months with IIS certificate renewed? 

  Thank you very much.

rds
Juan Lai

4 Replies

Reply to Thread
2
Neil Harvey Replied
Hi,

I do it the following way.

I use win-acme (used to be letsencrypt winsimple) which sets a scheduled task to check the certs daily and updated when needed.


Make sure that the certs are saved in the my cache.

Create the following powershell script

# Start Export
Get-ChildItem -Path 'Cert:\localmachine\my' |
Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -imatch "CN=mail.mymail.com"} |
Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', 'yourpassword',$_.Thumbprint,"c:\smartermail\certs\mail.mymail.com.pfx")}
# End Export

This searches for the correct CN and then exports to a folder of your choice


I then call the following batch file from a scheduled task

# Start of Scheduled Job Batch file
powershell.exe -executionpolicy remotesigned -File "c:\Smartermail\Scripts\ExportCert - mymail.ps1"
# End of Scheduled Job Batch file

Then just assign the pfx file you have saved under the Port binding of SM using the password you set on the export.
1
Karl Jones Replied
This is the easiest way i have found so far, it even deploys and exports the certificates and auto renews
https://certifytheweb.com/
0
Steve Guluk Replied
@Neil Harvey

"'Then just assign the pfx file you have saved under the Port binding of SM using the password you set on the export.""

Isn't there a way to do the assignment automatically as the Let's Encrypt Certs renew every 60 days (with Certify the Web) as they expire every 90 days?

I use the following on an batch file to generate the .pfx file
 (Get-ChildItem -Path cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*mail.sgdesign.net*"|
Sort-Object -Property NotAfter -Descending |
Select-Object -first 1| Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p’,'SomePassword',$_.Thumbprint, "C:\SmarterMail\Certificates\mail.sgdesign.net.pfx")} 


0
Juan Lai Replied
Hello @steve,

   Thanks for the scripts. But when I ran it, the powershell returned: Test failed: Cannot find the certificate and private key to use for decryption with error code 0x8009200c(l CRYPT_E_NO_DECRYPT_CERT ).  
   But the pfx key was created as well. Does that mean I can use this pfx file directly? or what I should do else?
   Thanks again!!   

Reply to Thread