Hi,
here are my experiences regarding my Windows 2016 with Exchange 2016 server talking to MC
this way:
Step 1: get PFX with exportable private key from lets encrypt
Step 2: split the PFX into "fullchain.pem" and "privkey.pem"
Step 3: upload them both onto MC
Step 4: change the path to the uploaded certs in 4 templates onto MC (1 apache and 3 exim)
Step 5: restart MC services to update certs
Step 6: test, troubleshoot, test, troubl...
Important: the encoded certificates doesn't display correctly anymore in web-configurator after following this post.Step 1:Try these tools for receiving your LE-PFX (Let's encrypt PFX cert with exportable private key):
Let's Encrypt Simple Windows Client or the complete powershell way with no 3rd party tool (german)Step 2:Use
OpenSSL for Windows to extract the 2 pems we need, they receive the right format and character set (PS-codelet):
Code: Select all
& C:\tools\openSSL-1.0.2n\openssl.exe pkcs12 -in C:\sys\certs\Cert.pfx -out C:\sys\certs\fullchain.pem -nokeys -nodes -passin pass:$sourcePFX_Passphrase
& C:\tools\openSSL-1.0.2n\openssl.exe pkcs12 -in C:\sys\certs\Cert.pfx -nodes -passin pass:$sourcePFX_Passphrase -nocerts -nodes -out C:\sys\certs\privkey.pem
Step 3:Upload the certs to MC the automatic way using PuTTy and PsFTP (
BOTH downloadable here), or for testing purposes WinSCP (
downloadable here)
Store the 2 pems here:
Certificate file path:
/usr/mailcleaner/etc/apache/certs/fullchain.pem <- Certificate and full chain
Certificate key path:
/usr/mailcleaner/etc/apache/certs/privkey.pem <- Contains only the private key
My permissions on the file are 644, automatically given by upload.
Here are the PS-codelets and additional files for the automatic way:
madhopsman wrote:I use the following code to push the certs to mailcleaner:
Code: Select all
#Allows running external commands and easily capturing output and errors
Function Execute-Command ($commandTitle, $commandPath, $commandArguments)
{
Try {
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = $commandPath
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = $commandArguments
$pinfo.Verb = "runas";
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
[pscustomobject]@{
commandTitle = $commandTitle
stdout = $p.StandardOutput.ReadToEnd()
stderr = $p.StandardError.ReadToEnd()
ExitCode = $p.ExitCode
}
$p.WaitForExit(10000)
}
Catch {
[pscustomobject]@{
commandTitle = $commandTitle
stdout = $error[0]
stderr = $error[0].exception.message
ExitCode = 1}
}
}
$cmd = Execute-Command -commandtitle "psftp" -commandpath "c:\LetsEncrypt\psftp.exe" -commandArguments 'root@mailcleaner -pw rootpassword -b C:\LetsEncrypt\upload.ini -bc -batch'
if ($cmd.ExitCode -eq 0) {
$cmd2 = Execute-Command -commandtitle "putty" -commandpath "c:\LetsEncrypt\putty.exe" -commandArguments '"root@mailcleaner" -pw rootpassword -t -m C:\LetsEncrypt\commands.ini'
if ($cmd.Exitcode -ne 0) {
#Unsuccessful. log error found in $cmd2.stderr and handle accordingly
}
}
Else {
#Unsuccessful. log error found in $cmd.stderr and handle accordingly
}
The first Execute-Command is running psftp.exe and giving it a batch command script to upload the new cert files. This file (upload.ini) comprises of the following lines:
Code: Select all
lcd C:\sys\certs\
cd /usr/mailcleaner/etc/apache/certs
put fullchain.pem
put privkey.pem
quit
The second Execute-Command is running putty to restart the mailcleaner services. It's also being given a batch command file. This file (commands.ini) comprises of the following lines:
Code: Select all
/usr/mailcleaner/etc/init.d/mailcleaner restart && exit
Step 4:changing apache template - important are "SSLCertificateFile" and "SSLCertificateKeyFile". If apache doesn't start anymore, your certs are wrong:
madhopsman wrote:/usr/mailcleaner/etc/apache/sites/mailcleaner.conf_template:Code: Select all
...
SSLCompression off
SSLCACertificatePath __SRCDIR__/etc/apache/certs
SSLCertificateFile __SRCDIR__/etc/apache/certs/fullchain.pem
SSLCertificateKeyFile __SRCDIR__/etc/apache/certs/privkey.pem
__IFSSLCHAIN__ SSLCertificateChainFile __SRCDIR__/etc/apache/certs/certificate-chain.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
RewriteEngine On
...
In the 3 other files you can search these strings finding them faster: "tls_certificate" and "tls_privatekey"
madhopsman wrote:/usr/mailcleaner/etc/exim/exim_stage1.conf_template:Code: Select all
...
local_interfaces = <; ::0 ; 0.0.0.0
__IF__ USETLS
tls_advertise_hosts = *
tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem
tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
openssl_options = +no_sslv2 +no_sslv3
...
/usr/mailcleaner/etc/exim/exim_stage2.conf_template:Code: Select all
...
smtp_accept_max = 0
__IF__ USETLS
tls_advertise_hosts = *
tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem
tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
openssl_options = +no_sslv2 +no_sslv3
...
/usr/mailcleaner/etc/exim/exim_stage4.conf_template:Code: Select all
...
timeout_frozen_after = 1h
__IF__ USETLS
tls_advertise_hosts = *
[b]tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem[/b]
tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
__ELSE__ USETLS
...
Step 5:madhopsman wrote:Once you're done, simply run the following command:
Code: Select all
/usr/mailcleaner/etc/init.d/mailcleaner restart
addition:
I am against using clear passwords in scripts. That's why I'm using the tool "Command Line Encrypt"
from this website.
It's probaly not the best tool with the best encryption, but at least better than plain text passwords.
For example, here is my script for exporting the pems from pfx:
Code: Select all
#PARAMETERS
$openssl = "C:\tools\openSSL-1.0.2n\openssl.exe"
$sourcePFX = "C:\sys\certs\Cert.pfx"
$crypter = "C:\tools\Command Line Encrypt\Command Line Encrypt.exe"
$LEpw = "C:\tools\Command Line Encrypt\encryptedLEpwFile"
$sec = "somePresharedSecretForEncryptedLEpwFileToDecrypt"
$tmpfile = "C:\tools\encryptedLEpwFile\tempFileWithDecryptedPassword"
$certfullOutfile = "\\somepath\certs\fullchain.pem"
$privkeyOutfile = "\\somepath\certs\privkey.pem"
# check and execute script only if PFX file exists
if (Test-Path $sourcePFX) {
# Read in PFX-PW
& $crypter -decrypt -infile $LEpw -key $sec -outfile $tmpfile | Out-Null
$sourcePFX_Passphrase = Get-Content $tmpfile
# delete tmpfile
$deletePath = $tmpfile
if (Test-Path $deletePath) {
Remove-Item $deletePath
}
# extract individual certificates from PFX
& $openssl pkcs12 -in $sourcePFX -out $certfullOutfile -nokeys -nodes -passin pass:$sourcePFX_Passphrase
& $openssl pkcs12 -in $sourcePFX -nodes -passin pass:$sourcePFX_Passphrase -nocerts -nodes -out $privkeyOutfile
}
Step 6:If the apache is up again, you can test your browser cert the usual way.
For example, to test your exim cert, you can use a different linux system this way:
Please don't forget to enable SSL/TLS in Configuration --> SMTP --> TLS/SSL
madhopsman wrote:Code: Select all
OpenSSL> s_client -connect mymx.my.externaldomain:25 -starttls smtp
The return codelets you need are
and
Alternativly, you can visit
Checktls.
I hope I have not forgotten a step, could you please check that madhopsman
gr33tz