Anyway, back to validation, the (preferred) way LetsEncrypt validates your domain is by writing a file to "webroot/.well-known/acme-challenge/". I suggest you do a test domain using https://sslforfree.com in order to get some experience with the pitfalls of this kind of validation. My failures on this had to do with .htaccess rewriting urls and stuff like that. LetsEncrypt could not find the file in some cases and could not validate. When I figured out that my virtual host settings or .htaccess settings were messing things up, I was able to fix them and move on. Its a good way to learn and troubleshoot validation and I highly recommend it for first timers. It helped me get over the hump, for sure.
Prerequisites:
1) You must have a working apache installation, preferably on the same machine as hmailserver. It can also be done with IIS, but I know apache.
Steps:
1) Download the latest release of win-acme (new name of win-simple): https://github.com/PKISharp/win-acme/releases
2) Extract it somewhere easy to find. I put it in a folder I created called C:\lews (lews = lets encrypt win simple but you can put it anywhere you want)
3) Your domains MUST be working on apache. If you're like me, you're using virtual hosts because you have multiple domains and multiple websites (and multiple email domains). Here's the big trick to make it easier for multiple domains.
Problem: win-acme will only write validation files to a single location in your web root.
Solution: use aliases so all validation files will be written to a single location, but are accessible from multiple domains.
Here's a virtual host for a domain name I just set up in order to follow and correctly document the steps for this tutorial. (I have already confirmed that this particular ddns provider does work with LetsEncrypt). I suggest testing on a test domain first, which can be a subdomain for a domain you already own.
Code: Select all
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/letsencrypttest.ddnsfree.com"
ServerName letencrypttest.ddnsfree.com
Alias /.well-known "C:/xampp/htdocs/.well-known"
</VirtualHost>
Set up all of your virtual hosts with this alias. Don't forget to restart apache after making changes to httpd.conf or your virtual hosts file (in xampp: "C:\xampp\apache\conf\extra\httpd-vhosts.conf").
4) I'm using xampp and the default webroot is located at "C:\xampp\htdocs". Create the folder "C:\xampp\htdocs\.well-known" and then the folder "C:\xampp\htdocs\.well-known\acme-challenge".
Make sure this folder is readable by EVERY DOMAIN in your virtual hosts file. To do this, create a text file in "C:\xampp\htdocs\.well-known\acme-challenge" and use your browser to find it from every single domain you want to get a certificte for:
http: //domain1.tld/.well-known/acme-challenge/yourtextfile.txt
http: //domain2.tld/.well-known/acme-challenge/yourtextfile.txt
etc. etc.
[edit: I added a space to http in order to prevent the forum from truncating the url]
If your browser cannot find this file EVERY SINGLE TIME, then something is broken with your aliasing and you need to fix that before moving forward.
As I said earlier, many things can break the aliasing, but its usually due to misconfigured virtual host or a rewrite rule in your virtual host or a .htaccess file. In one case, I had a script that made directory browsing "pretty" that broke the aliasing. Instead of pointing to "C:\xampp\htdocs\.well-known\acme-challenge", it was pointing to the domain's webroot like this: "C:\xampp\htdocs\domain1.tld\.well-known\acme-challenge". That's a problem. That's broken aliasing. You will not get your domain validated if aliasing is broken. So make sure to TEST every domain against the url "http: //domain1.tld/.well-known/acme-challenge/yourtextfile.txt". When that works for all of your domains, you can move on to the next step.
In my case, my test domain alias and text file url is: http://letencrypttest.ddnsfree.com/.wel ... e/alias.yo and this does work.
5) Run win-acme. Open a command prompt window and cd to the folder containing win-acme.
Code: Select all
C:\Users\user>
C:\Users\user>cd C:\lews
C:\lews>
Code: Select all
C:\lews>letsencrypt
Code: Select all
[INFO] A Simple ACME Client for Windows (WACS)
[INFO] Software version 1910.1.6661.39349 (RELEASE)
[INFO] IIS not detected
[INFO] ACME server https://acme-v01.api.letsencrypt.org/
[INFO] Please report issues at https://github.com/PKISharp/win-acme
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew *all*
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel *all* scheduled renewals
Q: Quit
Please choose from the menu:
Code: Select all
[INFO] Running in Advanced mode
1: Manually input host names
C: Cancel
Which kind of certificate would you like to create?:
Code: Select all
Enter comma-separated list of host names, starting with the primary one:
In my case here, because I'm only running it on one test domain in order to produce this tutorial, I will enter: letencrypttest.ddnsfree.com
Code: Select all
[INFO] Plugin Manual generated target [Manual] [1 binding - letencrypttest.ddnsfree.com]
1: [dns-01] Azure DNS
2: [dns-01] Run external program/script to create and update records
3: [http-01] Save file on local (network) path
4: [http-01] Self-host verification files (recommended)
5: [http-01] Upload verification file to FTP(S) server
6: [http-01] Upload verification file to WebDav path
C: Cancel
How would you like to validate this certificate?:
Code: Select all
Enter a site path (the web root of the host for http authentication):
Note that you enter the actual root and not the path to "/.well-known/acme-challenge". Win-acme is assuming you haven't got this far and will attempt to create these folders if they don't exist. In our case, we already created them in order to test the aliasing. From here win-acme will contact letsencrypt for the validation files, place the validation files in "C:\xampp\htdocs\.well-known\acme-challenge", make sure letsencrypt actually validates by contacting your server via http and finding these files, and finally, after validation, win-acme will delete the files.
Code: Select all
Copy default web.config before validation? (y/n):
Code: Select all
1: Do not run any installation steps
2: Run a custom script
C: Cancel
Which installer should run for the certificate?:
Code: Select all
[INFO] Authorize identifier: letencrypttest.ddnsfree.com
[INFO] Authorizing letencrypttest.ddnsfree.com using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://letencrypttest.ddnsfree.com/.well-known/acme-challenge/EUbFMJJx75G8lH-bzTFwlNYZlUeivdjGizCdm34FGdc
[INFO] Authorization result: valid
[INFO] Requesting certificate letencrypttest.ddnsfree.com 2018/4/1 11:12:22 AM
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
[INFO] Installing certificate in the certificate store
[INFO] Adding certificate letencrypttest.ddnsfree.com 2018/4/1 11:12:22 AM to store My
Do you want to replace the existing task? (y/n):
So here I'm choosing NO because I don't want to disturb my existing task. If you're running it for the first time, I assume it asks to create a task. Say yes. OR if you've run it a few times trying to get things right, on the last time (meaning you finally set everything up the way you want), choose yes to replace the existing task.
Code: Select all
[INFO] Adding renewal for letencrypttest.ddnsfree.com
[INFO] Next renewal scheduled at 2018/5/26 15:18:43 PM
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew *all*
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel *all* scheduled renewals
Q: Quit
Please choose from the menu:
6) Integrate your new certificate into hmailserver. Open hmail admin interface and go to settings > advanced > ssl certificates > add. Use any name for "name". Your certificate is located in the location win-acme reported above.
Code: Select all
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\letencrypttest.ddnsfree.com-chain.pem
C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\letencrypttest.ddnsfree.com-key.pem
Put the location for these files and hit save.
Next, go to settings > advanced > tcpip ports. For every port that uses a certificate (all of them in my case), choose the type of security and then choose the certificate from the drop down box. Hmail will notify you that you need to restart hmailserver in order to get the new certificates working. Say OK or choose no until you have changed/added your new certificate to all of the ports.
That's it. Now when anyone connects, you should not get any certificate errors and no client should have to "accept all certificates".
7) Renewals. Very important. The renewal task is already set up. However once the certificate is renewed, it will be a completely different certificate (with the same name). So you must restart hmailserver in order to load the new certificate. In another thread, Matt posted a useful script that you add to your scheduled task.
Open a text editor and dump the following script into it:
Code: Select all
Option Explicit
Private const g_sAdminPassword = "TopSecretPassword"
Dim oApp
Set oApp = CreateObject("hMailServer.Application")
' Give this script permission to access all
' hMailServer settings.
Call oApp.Authenticate("Administrator", g_sAdminPassword)
Call oApp.Stop
Wait(5)
Call oApp.Start
Function Wait(sec)
Dim t
t = Timer
Do While ((Timer - t) < sec) Xor (Timer < t)
Loop
End Function
That's it for now. I hope this was useful. I've received lots of very friendly help here so its nice to be able to contribute something back.