Barebones IMAP SSL cert (windows)

(I filled out the basic questionaire and it got posted as is – see below, but it’s entirely not applicable to my situation)

I understand that it’s possible to create a certificate using Windows without a website installed (using a DNS challenge). I am trying to understand how to do this, without activating IIS. I cannot find instructions for this anywhere. Can someone point me to the right place please?

The OS is Win 10, and I need a cert for IMAP SSL for a bare-bones hMailServer install. The DNS is running locally on a Windows 2012R2 server.

My domain is:

I ran this command: None yet

It produced this output: N/A

My web server is (include version): Required to not exist.

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is:N/A

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):None yet

1 Like

Do you have a specific question or issue you’d like to discuss?

1 Like

Yes, sorry, I’ve now edited the original post. I somehow posted the original before it was completed.

1 Like

You could use certbot which can spin up a temporary webserver for just the challenge:

1 Like

Thanks for the suggestion, but the specific exercise is to do it with the DNS challenge.

I do know how to do it several different ways using web servers, but I’m trying to understand / verify the DNS challenge route on Windows.

The current hMailServer tutorial for setting up a LetsEncrypt certificate is very convoluted, and makes (non-technical) users do apache installs / config edits, which is very much the opposite of what the hMailServer design goals are (it’s exclusively Windows, and deliberately GUI-only).

I would like to create an alternate tutorial for those who cannot, or don’t want to, use a webserver-based challenge authentication. Since they already have to modify their system’s DNS records, a DNS challenge approach would hopefully be simpler.

If there’s a Windows certbot approach that is port 80 based, but mostly GUI, that would be second best. But there will be people who have trouble with things like missing port 80 forwards in their NATs, port 80 forwarded to a different server they’re not allowed to touch, and so on.

1 Like

Posh-ACME is PowerShell based and comes with a whole bunch of DNS plugins. Though it would likely involve some additional scripting once the cert is obtained in order to deploy it to hMailServer.

1 Like

Looks like just what’s needed. I will try it out!

Thanks for the suggestion.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.