Hmailserver Ssl Certificate Openssl

Return to site

Hmailserver Ssl Certificate Openssl

Let's Encrypt provides free SSL certificates, which can be used for hMailserver. However, the certificates are valid only for 90 days, and there is a scripted validation process that can be challenging to set up. Most scripts that are available are designed for validation using a webserver, and not mailservers. The following enables SSL full certificate request and installation for hMailserver without a separate webserver, with renewals every 85 days.Requirements:hMailserver needs to be installed on Windows 10, with a working WSL (Windows Subsystem for Linux). If you need help to enable WSL, see the instructions for setting up Windows 10 Bash . In this page, we will be calling Windows 10 Bash, as Bash.
You will need to migrate your DNS Nameserver to CloudFlare. You can use an alternate service provider if it is supported as a dehydrated hook, but will need to modify the scripts provided on this page to make the other DNS provider work.
The scripts here assume that hMailserver is installed in c:Program Files (x86)hMailServer if you have it installed in a different location, you will need to modify the batch file to use the correct path.
However, you can decrypt that certificate to a more readable form with the openssl tool. $ openssl x509 -text -noout -in certificate.crt. It will display the SSL certificate output like expiration date, common name, issuer, Here's what it looks like for my own certificate. $ openssl x509 -text -noout -in certificate.crt Certificate. I have created a self-signed SSL certificate using OpenSSL, and I added it to hMailServer accessible in the private network. I used this certificate on port 465 and 993 to run SMTP and IMAP. Ssl openssl ssl-certificate thunderbird hmail-server. Now that an SSL certificate has been installed in hMailServer, go back to your email client and reconfigure your email account to use the following settings, as shown in the screenshot below. Take note of the Port and SSL values having changes to the new TCP/IP port configuration that you created in the previous section. Openssl verify chained.crt does not (directly) verify a chain as you seem to think; it reads one (the first) cert from the file and verifies it against the truststore. Here the first cert is your server (leaf) cert which is issued by your first intermediate (Comodo DV-server) which is not in the truststore so lookup fails.
Prerequisites:In Windows 10 bash, install the required packages:

sudo apt-get install openssl curl sed grep mktemp git build-essential
sudo apt-get install python-dev curl libffi-dev libssl-dev python-pip
* You may also need the following (to be verified):
sudo apt-get install python-setuptools
sudo easy_install pip

NOTE: Python 3.x in the current distribution will not work, since it is called python3, etc.
Decide on your workspace folder and create it in Windows Explorer. A folder without any spaces in its entire path is recommended (I have not tested names with spaces). The folder needs to be accessible to non-admins, since currently there seems to be some issues with Windows 10 Bash access to restricted folders. For example, lets consider something like  c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt (change myUserName to your username). We will call this your script folder on this page.
One-time initial setupGo to the script folder that you created, then:
1.In Bash, get the dehydrated script and the related Cloudflare hook by running the following. (If you are using a supported DNS service hook other than cloudflare, you will need to make changes for installing the hook and its dependencies):
git clone https://github.com/lukas2511/dehydrated
cd dehydrated

mkdir hooks
git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook hooks/cloudflare
sudo pip install -r hooks/cloudflare/requirements-python-2.txtcd ..
Verisign Ssl Certificate2. In Bash, create an executable script named hmailCert.sh by following:

a. In bash run:
cat > ./hmailCert.sh
b. Then paste the following (mouse right click if you have enabled Quick Edit). NOTE: You will need to modify 
CF_EMAIL, CF_KEY, HMAILSERVER_DOMAIN to be the correct values for your Cloudflare account login email, Cloudflare API key, and MX domain name. The MX domain name is the domain name that you are getting SSL certs for, which is where your hMailserver is running and has for its SSL Certificate. ( (If you are using a supported DNS service hook other than cloudflare, you will need to make changes call the correct hook instead of cloudflare's):
#!/bin/bash
export CF_EMAIL='yourCloudflareEmail@somedomain.com'
export CF_KEY='yourCloudflareAPIKey'
export HMAILSERVER_DOMAIN='yourMXDomainNameLike_mail.mydomain.com'
dehydrated -c -d $HMAILSERVER_DOMAIN -t dns-01 -k 'hooks/cloudflare/hook.py'
cp dehydrated/certs/$HMAILSERVER_DOMAIN/privkey.pem $HMAILSERVER_DOMAIN.letsencrypt.key
cp dehydrated/certs/$HMAILSERVER_DOMAIN/fullchain.pem $HMAILSERVER_DOMAIN.letsencrypt.crt


chmod 777 ./hmailCert.sh

3. In Windows, go to your scrupt folder and create a batch file named Openssl Create Server CertificatehmailCert.bat with the following content. NOTE: change the second line with the address of your script folder.
set HMAILSERVER_DOMAIN='yourMXDomainNameLike_mail.mydomain.com'cd c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt
bash -c './hmailCert.sh'
copy %HMAILSERVER_DOMAIN%.letsencrypt.key 'c:Program Files (x86)hMailServer'
copy %HMAILSERVER_DOMAIN%.letsencrypt.crt 'c:Program Files (x86)hMailServer'
net stop hMailServer
net start hMailServer
4. In Windows run everything for the first time to see if it works or if there are any issues, by opening a Command Prompt (CMD) as Administrator (right click on Command Prompt in the Windows 10 (start) menu and click Run as Administrator). Go to your script folder
cd c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt
and run the batch file:
hmailCert.bat
If no errors, you should have a new .key and a .crt file in your hMailServer folder.

5. Install the server certificate for the domain that hMailServer manages by going in hMailServer Admin GUI:
Add the server's certificate (.crt) and the server's private key (.key) in Settings>Advanced>SSL Certificates.
Set SMTP/POP3/IMAP to use the above SSL Certificate
Settings>Advanced>TCP/IP Ports:
SMTP: set Connection security to STARTLS (Optional), and then pick the SSL Certificate.
POP3/IMAP: set Connection security to STARTLS (Required), and then pick the SSL Certificate
6. Load the initial certificates by restarting hMailServer. You can do this in CMD (Run as Administrator) by the following two commands:

sudo apt-get install openssl curl sed grep mktemp git build-essential
sudo apt-get install python-dev curl libffi-dev libssl-dev python-pip
* You may also need the following (to be verified):
sudo apt-get install python-setuptools
sudo easy_install pip

NOTE: Python 3.x in the current distribution will not work, since it is called python3, etc.
Decide on your workspace folder and create it in Windows Explorer. A folder without any spaces in its entire path is recommended (I have not tested names with spaces). The folder needs to be accessible to non-admins, since currently there seems to be some issues with Windows 10 Bash access to restricted folders. For example, lets consider something like  c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt (change myUserName to your username). We will call this your script folder on this page.
One-time initial setupGo to the script folder that you created, then:
1.In Bash, get the dehydrated script and the related Cloudflare hook by running the following. (If you are using a supported DNS service hook other than cloudflare, you will need to make changes for installing the hook and its dependencies):
git clone https://github.com/lukas2511/dehydrated
cd dehydrated
mkdir hooks
git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook hooks/cloudflare
sudo pip install -r hooks/cloudflare/requirements-python-2.txtcd ..
Verisign Ssl Certificate2. In Bash, create an executable script named hmailCert.sh by following:
a. In bash run:
cat > ./hmailCert.sh
b. Then paste the following (mouse right click if you have enabled Quick Edit). NOTE: You will need to modify 
CF_EMAIL, CF_KEY, HMAILSERVER_DOMAIN to be the correct values for your Cloudflare account login email, Cloudflare API key, and MX domain name. The MX domain name is the domain name that you are getting SSL certs for, which is where your hMailserver is running and has for its SSL Certificate. ( (If you are using a supported DNS service hook other than cloudflare, you will need to make changes call the correct hook instead of cloudflare's):
#!/bin/bash
export CF_EMAIL='yourCloudflareEmail@somedomain.com'
export CF_KEY='yourCloudflareAPIKey'
export HMAILSERVER_DOMAIN='yourMXDomainNameLike_mail.mydomain.com'
dehydrated -c -d $HMAILSERVER_DOMAIN -t dns-01 -k 'hooks/cloudflare/hook.py'
cp dehydrated/certs/$HMAILSERVER_DOMAIN/privkey.pem $HMAILSERVER_DOMAIN.letsencrypt.key
cp dehydrated/certs/$HMAILSERVER_DOMAIN/fullchain.pem $HMAILSERVER_DOMAIN.letsencrypt.crt


chmod 777 ./hmailCert.sh

3. In Windows, go to your scrupt folder and create a batch file named Openssl Create Server CertificatehmailCert.bat with the following content. NOTE: change the second line with the address of your script folder.
set HMAILSERVER_DOMAIN='yourMXDomainNameLike_mail.mydomain.com'cd c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt
bash -c './hmailCert.sh'
copy %HMAILSERVER_DOMAIN%.letsencrypt.key 'c:Program Files (x86)hMailServer'
copy %HMAILSERVER_DOMAIN%.letsencrypt.crt 'c:Program Files (x86)hMailServer'
net stop hMailServer
net start hMailServer
4. In Windows run everything for the first time to see if it works or if there are any issues, by opening a Command Prompt (CMD) as Administrator (right click on Command Prompt in the Windows 10 (start) menu and click Run as Administrator). Go to your script folder
cd c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt
and run the batch file:
hmailCert.bat
If no errors, you should have a new .key and a .crt file in your hMailServer folder.

5. Install the server certificate for the domain that hMailServer manages by going in hMailServer Admin GUI:
Add the server's certificate (.crt) and the server's private key (.key) in Settings>Advanced>SSL Certificates.
Set SMTP/POP3/IMAP to use the above SSL Certificate
Settings>Advanced>TCP/IP Ports:
SMTP: set Connection security to STARTLS (Optional), and then pick the SSL Certificate.
POP3/IMAP: set Connection security to STARTLS (Required), and then pick the SSL Certificate
6. Load the initial certificates by restarting hMailServer. You can do this in CMD (Run as Administrator) by the following two commands:
net stop hMailServer
net start hMailServer
Automate Certificate Renewals1. Go to Windows Task Scheduler, and create a new task, to run the hmailCert.bat with the following settings:
General Tab:
Run whether user is logged on or not (At the end when you click OK, it will ask you to enter windows credentials. Make sure to use an Admin account)
Run with highest privileges
Configure for: Windows 10
Trigger
Daily at some time every 85 days, Enabled
Action
Start a program
Program/script (update with your script folder): c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt/hmailCert.bat
Start in: c:UsersmyUserNameDocumentsNetworkinghmailserver_letsencrypt
Conditions
Start the task only if the computer is idle for: 10 minutes
Settings
Allow task to be run on demand
Run task as soon as possible after a scheduled start is missed
Stop the task if it runs longer than 8 hours
If the running task does not end when requested, force it to stop.