Built-In Lets Encrypt Clarification

Question asked by TJ - 1/24/2024 at 8:59 PM

Unanswered

Hi everyone, perhaps I'm missing something, but the documentation I've found on the new SSL generation is pretty light on info...

So I've set the SSL cert options in SM to use d:\SmarterMail\Certificates\ as the cert folder and I've set a cert password, I've configured the same folder as the Central Certificate location in IIS, created a new local user on the server and granted it full permissions on the d:\SmarterMail\Certificates\ folder and used the same in the Central Certificate config - great.

I see the hostnames under the Automatic Certificates tab and for some I see "Active" and a Renewal/Expiration date - but I don't see any sign of the certs themselves... Nothing in the d:\SmarterMail\Certificates\ folder, nothing listed under the Centralized Certificates in IIS either.

Are the certs/pfx files meant to appear under the defined folder (d:\SmarterMail\Certificates\)? Where is this generation/renewal action logged (I don't see a cert specific log under troubleshooting)? Is there a way to force a regeneration of the cert(s)? There only seems to be Enable, Disable and Retry Validation - no options to set duration/renewal windows etc. like you get with the Win-Acme client.

Also, it seems like you still need to set the port bindings manually like you always had to? So how does SM work out what cert to use other than what's hard coded under the port bindings - did I miss something in the documentation or forums that explains how all of this is meant to work?

I could use a little direction here please...

Thank you in advance! TJ

3 Replies

Reply to Thread

Kyle Kerst Replied

1/25/2024 at 9:32 AM

Employee Post

Hello Tj! I'd be happy to provide some guidance here! First, do your hostnames show as having valid certificates already? They aren't showing any failure messages? Onto your questions:

Are the certs/pfx files meant to appear under the defined folder (d:\SmarterMail\Certificates\)? <-- Yes, once successfully validated and generated you'll find a PFX file matching that hostname in the certificates directory.

Where is this generation/renewal action logged <-- I don't see a cert specific log under troubleshooting)? (These are found in the Administrative log file and you can narrow down the results by searching for ACME.

Is there a way to force a regeneration of the cert(s)? <-- Sort of, you can retry but this simply queues it for revalidation as we have a built-in rate limit to prevent you being throttled or blocked by the ACME/Lets Encrypt services.

Also, it seems like you still need to set the port bindings manually like you always had to? <-- The bindings you set up in Settings>Bindings>Ports to use a specific PFX will serve as your fallback certificate if a better PFX isn't found matching the hostname clients are connecting on.

Kyle Kerst

Lead Internal Network/System Administrator

SmarterTools Inc.

smartertools.com

TJ Replied

1/25/2024 at 7:40 PM

Thanks for the log info - seems like a comma (,) in the Organization name under the Options > Certificate CSR is the Death knell for certs in SM. Once I removed the comma form the name "{company name}, LLC" at least 2 certs immediately appeared - I'll let you know if I see anything more weird!

Thanks, TJ

TJ Replied

1/26/2024 at 9:32 AM

It certainly would help having a "regenerate" option as I have hostnames listed under the "Automatic Certificates" listed as "Active" with expiration dates etc. that do not have a valid cert (nothing in the folder or on the "Certificates" tab).

How can I force the renewal (or manually change the "renews" date so SM can renew it for me again?

Thanks, TJ

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text