When using SmarterMail's built-in SSL certificates, several things need to be set up beforehand. First, you need to be running Build 8747 (Dec 13, 2023) or newer.
Build 8747 (Dec 13, 2023)
Added: SNI SSL/TLS support with automatic handling of associated bindings.
Build 9224 (Apr 3, 2025)
Changed: The ACME Challenge URL is now displayed in the Event logs for better troubleshooting.
Build 9378 (Sep 4, 2025)
Fixed: Add a toggle option to enable automated certificates on bindings.
Here you can see the "Server Certificate" dropdown that was added, which will allow you to select a default certificate from the ones stored in SmarterMail's "
Certificate Store," whether they were uploaded or generated by SmarterMail.
Other items you will need to have set up;
- Hostnames must be pointed at the SmarterMail server using an A record in DNS.
- Hostnames must be routable, top-level domains. (I.e., not local domains, etc.)
- HTTP binding must be present in IIS and configured to land on the SmarterMail web interface.
- Nothing can intercept HTTP requests on any hostname. This includes having something like Plesk / Certify the Web / Let's Encrypt installation or proxy. If these are installed or proxied, they must be removed prior to using SmarterMail's automatic certificates.
Errors that you may run into
- No SSL/TLS support
- Inaccessible through HTTP
- Domain validation is pending. (An error occurred applying the website binding)
- Certificate was generated but could not be bound to the web interface.
Generic Troubleshooting Steps
Here is a list of things you can try to resolve the issue right away, and if not, you can try some of the options listed below based on the errors you get.
- Make sure that the Certificates log is set to detailed. If not, adjust and save.
- Find the certificate that has the issue, try "Resolve Conflicts" and/or "Renew Now" based on the errors you are seeing.
- Automatic Certificates: Actions (⋮)
- Resolve Conflicts - SmarterMail will attempt to resolve any conflicts with an automated cert.
- Renew Now - Forces an out-of-band renewal for the cert.
Wait to see if the above resolves the issue, and check the logs as well.
In IIS (Internet Information Services) you can verify that "Require SSL" is disabled.
- IIS -> Sites -> SmarterMail -> SSL Settigns -> "Require SSL" = Disabled
1. No SSL/TLS support
With this set up the certificate should be generated and bound to the IIS site for routing. This DOES NOT add the certificate to any ports. If you are getting an. error that SSL/TLS/StartTLS is not supported you will need to make sure to bind the certificates to the associated port.
Adding the certificates to your ports.
- Select the Certificate that you wish to be your default certificate if the correct one is not found.
- add this certificate to each of the bindings you wish to secure.
- updated interface with a certificate dropdown
2. Inaccessible through HTTP
If you are seeing this error Inaccessible through HTTP, you will need to verify that the domain is reachable both from your server and externally.
This error typically indicates that the hostname (e.g., mail.domain.tld) is not resolving correctly during testing. SmarterMail performs an API call before proceeding with certificate generation, so this connectivity must be verified directly from the server.
Test the SmarterMail API from the server
Run the following command from your SmarterMail server:
curl http://mail.domain.tld/api/v1/info/instance-id -v
A successful response should look similar to:
{"instanceId":"865461e038334cf590974bd6351b9bc1","success":true}
Verify external HTTP (port 80) resolution
Check that the FQDN (fully qualified domain name ) resolves correctly from an external connection:
In a browser:
http://mail.domain.tld/
Using cURL:
curl mail.domain.tld:80 -ILv
Verify HTTP resolution from the server itself
Perform the same tests locally on the SmarterMail server:
Renew the certificate
If all of the tests above succeed:
- Navigate to the Automatic Certificates tab in SmarterMail.
- Right-click the certificate and select Renew Now.
- Wait approximately one minute, then refresh the interface to confirm the certificate has been successfully generated or renewed.
Example found in the "Certificates" log when set to Detailed.
[2025.04.22] 15:12:04.785 ACME: Creating new order for MAIL.DOMAIN.COM in domain DOMAIN.COM
[2025.04.22] 15:12:30.993 ACME: Verification complete for MAIL.DOMAIN.COM in domain DOMAIN.COM. Generating certificate
[2025.04.22] 15:12:33.423 ACME: Attempting to load cert into IIS for hostname: MAIL.DOMAIN.COM [MAIL.DOMAIN.COM], useCentralizedStore: False, IIS Cert Store Location: , HasKeyStoreCert: True
[2025.04.22] 15:12:33.467 ACME: Removing existing binding (*:443:MAIL.DOMAIN.COM) is already bound to MAIL.DOMAIN.COM on port 443; https binding count 1
[2025.04.22] 15:12:33.468 ACME: Attempting to add binding (*:443:MAIL.DOMAIN.COM) for MAIL.DOMAIN.COM on port 443 in IIS using sslFlags: Sni
[2025.04.22] 15:12:33.554 ACME: Certificate for MAIL.DOMAIN.COM [MAIL.DOMAIN.COM] has been bound into IIS using Machine Key storage: key MAIL.DOMAIN.COM [SmarterMail] 4/22/2025 2:14 PM to 7/21/2025 2:14 PM
3. Domain validation is pending. (An error occurred applying the website binding.)
MAIL.DOMAIN.TLD
Domain validation is pending.
This may take a few minutes.
An error occurred applying the website binding.
Refer to the administrative log file for more information. T
he certificate is being managed by Let's Encrypt.
Domain: DOMAIN.TLD
The best fix for this is generally "Resolve Conflicts." If this does not resolve the issue, you will want to get RDP access ( or ask the client for details ).
- Does the binding already exist
- Try removing and clicking "resolve conflicts"
- Is CCS (Centralized Certificate Store ) installed and set up for the binding
- Have the client install
- Try the "resolve conflicts" action
4. Certificate was generated but could not be bound to the web interface.