In the meantime though Sabatino; the Lets Encrypt/Certify system now includes a built-in export functionality (for PFX export) in their post-deployment steps section, so this makes using Certify a little easier if you don't want to automate it completely. 

You can also use a powershell script to export the certificate to a file, and put that file where you would normally keep your Smartermail certificate.  Keep the same certificate file name each time, so you don't have to keep updating it in the SM config.  Run the script periodically with Task Scheduler to automate the process so that SM is always using a current/valid certificate.  

 

I already do this with certify the web and a powershell script

However, it requires a restart of the smartermail service and I don't like this at all.

Besides a direct method would certainly be better

@Sabatino: The powershell/Certify/Lets Encrypt method shouldn't require a restart of the mail service. Does it just not see the updated PFX until you restart?

Yes that was what I meant.

If I need to create a custom ssl for a single domain I have to restart the mail service

Hey guys,

Instead of using the PowerShell method, I found a better method. 

You can just create a deployment task inside of the Certify client itself.

This is way less work and a lot easier. I'm going to update the Let's Encrypt KB next week with this info.   

You shouldn't have to restart the mail service for the new certificate to work. 

Do you think you could open a ticket with us Sabatino so we can look into that further?

Something that I have noticed with the Let's Encrypt script is that sometimes it will export the wrong certificate if you do not have your certificate cleanup setup correctly. 

But anyway this is definitely something that we would like to help you with. 

So please reach out when you can or let me know and I can open the ticket for you. 

Kind Regards, 

Hello Zach

We have exactly the same situation as Sabatino and after generating the certificate and porting it as PFX, we then have to restart the mail server service with a PowerShell script. The restart sometimes takes quite a long time (about 1 minute).

What also bothers me a lot is that we have to enter all customer domains into the same certificate and export it as PFX. Is there no way that we only have to enter the mail server primary domain and it still works for the customers without certificate errors?

Or that each customer has its own certificate for the mail server?

Thanks and greetings

Roger

Hi Roger, 

I'm afraid I don't have an alternative setup to suggest for your certificate setup at this time. However, when we're able to implement SNI support, it'll help alleviate some of the headaches surrounding the certificate setup per domain. 

That said, with the method Zach suggested, you shouldn't have to restart the mail service for the new certificate to work. If you're still having trouble with that setup, please submit a support ticket and we can help you through it.