Automated Renewals for Mercury/32

Hi everyone,

I'm using Mercury/32 as mailserver and currently i'm renewing my domain certs manually (using zerossl), then downloading the cert files and manually adding the CA cert and Public cert in a single file (as this is how it's needed for mercury), then renaming both cert and private key to the filenames that mercury expects to be around.

Now, mercury/32 is working fine with the cert, but zerossl won't allow me to make free *.domain.tld certificates which i actually need (i have a few subdomains, i also run an ftp server which should use the same certificate and so forth)

Now my question is; Is it somehow possible to do the next steps with a single script or batchfile? I'm not good at powershell, I master only the very basics and i use it so rarely i always have to use ISE to find the right commands again :slight_smile:

  1. renew a given certificate autmatically when feeding it the old certificate or domain name(s) or login? (maybe with an answerfile, dunno?)
  2. save my certificate to a custom location on the harddrive, do the same for an updated CA-file from let'sencrypt
  3. append the let'sencrypt CA certificate to the public certificate that I'll get as reply from certbot and save this to a custom location on my server's harddrive (this can be done with APPEND in a batchfile)
  4. renew this script every 3 months (that's an easy one, just using scheduler to automatically run a batchfile that goes over every step, i'll save the output of this batch to a custom logfile so in case of errors i can find out what went wrong)

so only step 1 and 2 is where i need some help

I know there are many certbot/acme scripts, and i know i'll probably be able to use one that already exists and modify some parameters, but I totally don't know which one to use. I believe that i need to save the certs as .PEM files (isn't that like in IIS?), but an IIS script will save it in the wrong place as my certs are saved in m:\Certificates\Letsencrypt (or the junctioned location c:\Mercury\Certificates\Letsencrypt)

I've tried for searching on mercury on this forum, but that guy only had issues with getting the certificate to work in mercury, which is not my case (sadly it was closed, i could've helped him).

thanks in advance for you help!

I think the potentially biggest challenge you'll run into is the DNS challenge that is required for the wildcard certificate.

What is your domain / who is your DNS host?

The steps you have listed (automatic renewal, copying the certificate to another directory, restarting your mailserver) are all pretty basic and there are good Windows ACME clients which can do those quite comfortably.

But in order to do automatic renewal of a wildcard, the program you choose needs to be able to automatically deploy TXT records to your domain, at every renewal.

This can be either easy or hard - it depends who your DNS host is. Some Windows clients like "Certify the Web" and "Posh-ACME" support a wide range, but you need to check carefully that your DNS host is integrated.

Another option is just to avoid the wildcard, and to list every single one of your needed domains on the certificate. You'd be able to use the (much simpler in comparison) HTTP challenge. That's what I would do, unless I truly needed a wildcard.

1 Like

I'm not running any website on my domains so HTTP is impossible for me, or i should install an apache just for that; but i prefere not to out of security risk.
I could ask the registrar if there is a possibility to edit TXT fields with an automated tool (or via API?), Just like i'm also able to directly update dynamic IP's into my domain (no dyndns needed) with a little ipupdater tool or via a customized URL...

also my registrar is purely a registrar as far as i know, so no webhosting. I have access to any fields in the dns record, can create unlimited fields/records/subdomains. (TXT, SRV, A, AAAA, CNAME, and even custom ones).

A wildcard would be that much easier; i'm having a lot of subdomains that have stuff running and a few of them are not even on the same location; some of them are in ipv4, others in ipv6, although that doesn't really matter a lot... but none of them has a www-server running, it's all other stuff like mail, ssh, mail, ftp, shoutcast, vpn-access, etc etc The mail server has a tiny webserver running, but that's only to allow people to (un)subscribe/pause/... from mailing list via URL instead of mailreply..

I already contacted my dns registrar and hopefully he has some good news for me (automated .TXT editing with a customized URL or API).
I'll followup as soon as i got more info. (if anyone has ideas in the mean time, don't hesitate to say something)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.