Back to Community Threads
How to use Letsencrypt SSL certificate to secure imap/pop server?
Question asked by Juan Lai - 8/27/2020 at 12:08 AM
Unanswered
Hello All,

  I already read this KB https://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx and found it seems not work if I am using Letsencrypt SSL. The password authentication always failed. 

  And is there any way to auto-renew every 3 months with IIS certificate renewed? 

  Thank you very much.

rds
Juan Lai
Neil Harvey Replied
8/28/2020 at 5:26 AM
Hi,

I do it the following way.

I use win-acme (used to be letsencrypt winsimple) which sets a scheduled task to check the certs daily and updated when needed.


Make sure that the certs are saved in the my cache.

Create the following powershell script

# Start Export
Get-ChildItem -Path 'Cert:\localmachine\my' |
Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -imatch "CN=mail.mymail.com"} |
Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', 'yourpassword',$_.Thumbprint,"c:\smartermail\certs\mail.mymail.com.pfx")}
# End Export

This searches for the correct CN and then exports to a folder of your choice


I then call the following batch file from a scheduled task

# Start of Scheduled Job Batch file
powershell.exe -executionpolicy remotesigned -File "c:\Smartermail\Scripts\ExportCert - mymail.ps1"
# End of Scheduled Job Batch file

Then just assign the pfx file you have saved under the Port binding of SM using the password you set on the export.
Karl Jones Replied
8/30/2020 at 6:02 PM
This is the easiest way i have found so far, it even deploys and exports the certificates and auto renews
https://certifytheweb.com/
Steve Guluk Replied
10/22/2020 at 5:56 PM
@Neil Harvey

"'Then just assign the pfx file you have saved under the Port binding of SM using the password you set on the export.""

Isn't there a way to do the assignment automatically as the Let's Encrypt Certs renew every 60 days (with Certify the Web) as they expire every 90 days?

I use the following on an batch file to generate the .pfx file
 (Get-ChildItem -Path cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*mail.sgdesign.net*"|
Sort-Object -Property NotAfter -Descending |
Select-Object -first 1| Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p’,'SomePassword',$_.Thumbprint, "C:\SmarterMail\Certificates\mail.sgdesign.net.pfx")} 
Juan Lai Replied
12/22/2020 at 6:07 PM
Hello @steve,

   Thanks for the scripts. But when I ran it, the powershell returned: Test failed: Cannot find the certificate and private key to use for decryption with error code 0x8009200c(l CRYPT_E_NO_DECRYPT_CERT ).  
   But the pfx key was created as well. Does that mean I can use this pfx file directly? or what I should do else?
   Thanks again!!   
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Trouble Connecting Apple Mail Using MAPI/EWSSmarterMail > Troubleshooting