When using SmarterMail's Automated SSL certificates, there may be a time when the webmail interface shows an expired certificate warning. When you go into the SSL Certificates area, all certificates are there and are valid. You don't see any issues when opening eM Client, or Outlook, or even your mobile client. However, webmail shows that expired certificate warning. Why?
In the vast majority of cases, this happens when an SSL certificate is renewed, and it's because the Centralized Certificate Store on Windows isn't installed, it was never set up, or, if it is set up, it has some misconfiguration. Please note that this only affects the webmail interface on Port 443 -- other bindings are handled by SmarterMail directly, that's why no other protocols are affected.
The Centralized Certificate Store (CCS) was a prerequisite when upgrading to or past "Build 8747 (Dec 13, 2023)" so, ideally, it's already installed. While it is required, we did not force users to use the new SNI and autogeneration of certificates in IIS. Therefore, it may not be set up by default. The steps for setting CCS up are outlined in the following KB article - Automatic SSL Certificates on a New SmarterMail Server - beginning at Step 3.
Once it's set up, you can verify your bindings in IIS by running the following script in an Elevated PowerShell session. A file (IIS-Site-Results.txt) will be created on your desktop. Reviewing this file will make sure that all of your 443 (HTTPS) bindings are running.
Import-Module Webadministration;
$i = Get-IISSite -Name SmarterMail;
$httpsBindings = $i.Bindings | Where-Object { $_.Protocol -eq 'https' };
$formatted = $httpsBindings | Format-Table -AutoSize | Out-String;
$formatted | Set-Content -Path "$env:USERPROFILE\Desktop\IIS-Site-Results.txt";
Troubleshooting
In the past, what has helped resolve this issue (where the correct certificate is not being returned for HTTPS) is to verify that IIS has access to the Certificates folder using the Centralized Certificate Store (CCS), The output from the IIS-Site-Results.txt file will let you know if the bindings are set up to pull from the CCS. If it is, you will want to reset the connection to make sure that the files can be read. To do that, you can follow the KB from Microsoft:
Centralized Certificate Store (CCS) and IIS bindings- Open IIS
- Go to 'Server Name' -> Management -> 'Centralized Certificates'
- On the right, click "Edit Feature Settings" and use the following:
- Physical path - should match the Certificate Folder Path that's set in SmarterMail under Settings -> SSL Certificates -> Options tab, on the Options card.
- Username and password to access this path - You can use an existing user that has access to the path, or create a new one.
- Certificate private key - this is also set in SmarterMail under Settings -> SSL Certificates -> Options tab, on the Options card. (It can be left blank if the Certificate Password is blank in SmarterMail.)