1182

Information and implementation of Let's Encrypt SSL Certificates in MDaemon using a PowerShell script

Let's Encrypt is a certificate authority that provides free certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. 

Please direct all support inquiries to our Request Support page.

  1. Verify port 80 is open on the mail server and/or firewall.  This port must be open to run the script and can be closed after completion.
  2. Open a command prompt/powershell window as Administrator and navigate to the \MDaemon\LetsEncrypt directory.
  3. Run the command below, modifying the command to add alternative host names and/or the To section.
    .\LetsEncrypt.ps1 -AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -IISSiteName MySite -To "admin@yourdomain.com"
    • Do no include the default/primary domain in the -AltnernativeHostNames section.
    • If there are no alternative host names, remove the -AlternativeHostNames section completely.
  4. When the script has finished and no errors are given, navigate to the Security / Security Settings / SSL & TLS menu and choose the Let's Encrypt certificate for MDaemon, WorldClient, and/or Remote Administration.
  5. If there are errors, please review the \MDaemon\Logs\LetsEncrypt.log and/or contact technical support, providing the log file and the command used.

Detailed Let's Encrypt information:

  • A PowerShell script that supports LetsEncrypt is now installed to the \MDaemon\LetsEncrypt directory.  A dependency of the script, the ACMESharp module, requires PowerShell 3.0 . This means this script will not work on Windows 2003. 
  • WorldClient must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set everything up for LetsEncrypt, including putting the necessary files in the WorldClient HTTP directory to complete the http-01 challenge. It uses the SMTP host name of the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures MDaemon to use the certificate. 
  • The script creates a log file in the MDaemon\Logs\ directory called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date/time of the script but it does not include a date/time stamp for each action. Notification emails can be sent when an error occurs. This is done using the $error variable which is automatically created and set by PowerShell.  
  • If you have an FQDN setup for your default domain that does not point to the MDaemon server, this script will not work. If you want to setup alternate host names in the certificate you can do so. You need to pass the alternate host names on the command line.
    Example usage: .\LetsEncrypt.ps1 -AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -IISSiteName MySite -To "admin@yourdomain.com"
  • You do not need to include the FQDN for the default domain in the AlternateHostNames list. For example, our default domain, altn.com, is configured with an FQDN of mail1.altn.com. We use an alternate host name of mail.altn.com. When I run the script, I only pass mail.altn.com as an alternate host name. If you pass alternate host names, an HTTP challenge will need to be completed for each them. If the challenges are not all completed the process will not complete correctly.
  • If you do not need to pass in alternate host names then do not include the –AlternateHostNames parameter in the command line. If you do not want to have email notifications sent when an error occurs do not include the –To parameter in the command line.
  • If you are running WorldClient via IIS, you will need to pass this script the name of your site using the -IISSiteName parameter. You must have Microsoft's Web Scripting tools installed in order for the certificate to be automatically setup in IIS.

---