How to use Letsencrypt SSL certificate to secure imap/pop server?
Question asked by Juan Lai - 8/27/2020 at 12:08 AM
Hello All,

  I already read this KB https://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx and found it seems not work if I am using Letsencrypt SSL. The password authentication always failed. 

  And is there any way to auto-renew every 3 months with IIS certificate renewed? 

  Thank you very much.

Juan Lai

4 Replies

Reply to Thread
Neil Harvey Replied

I do it the following way.

I use win-acme (used to be letsencrypt winsimple) which sets a scheduled task to check the certs daily and updated when needed.

Make sure that the certs are saved in the my cache.

Create the following powershell script

# Start Export
Get-ChildItem -Path 'Cert:\localmachine\my' |
Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -imatch "CN=mail.mymail.com"} |
Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', 'yourpassword',$_.Thumbprint,"c:\smartermail\certs\mail.mymail.com.pfx")}
# End Export

This searches for the correct CN and then exports to a folder of your choice

I then call the following batch file from a scheduled task

# Start of Scheduled Job Batch file
powershell.exe -executionpolicy remotesigned -File "c:\Smartermail\Scripts\ExportCert - mymail.ps1"
# End of Scheduled Job Batch file

Then just assign the pfx file you have saved under the Port binding of SM using the password you set on the export.
Karl Jones Replied
This is the easiest way i have found so far, it even deploys and exports the certificates and auto renews
Steve Guluk Replied
@Neil Harvey

"'Then just assign the pfx file you have saved under the Port binding of SM using the password you set on the export.""

Isn't there a way to do the assignment automatically as the Let's Encrypt Certs renew every 60 days (with Certify the Web) as they expire every 90 days?

I use the following on an batch file to generate the .pfx file
 (Get-ChildItem -Path cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*mail.sgdesign.net*"|
Sort-Object -Property NotAfter -Descending |
Select-Object -first 1| Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p’,'SomePassword',$_.Thumbprint, "C:\SmarterMail\Certificates\mail.sgdesign.net.pfx")} 

Juan Lai Replied
Hello @steve,

   Thanks for the scripts. But when I ran it, the powershell returned: Test failed: Cannot find the certificate and private key to use for decryption with error code 0x8009200c(l CRYPT_E_NO_DECRYPT_CERT ).  
   But the pfx key was created as well. Does that mean I can use this pfx file directly? or what I should do else?
   Thanks again!!   

Reply to Thread