Cannot validate LE cert in Icewarp Mail Server

Windows Server 2016 Essentials
Icewarp Deep Castle 2 Build 3

IW support tells me LE can't validate when port 80 is in use. So I stop all services until netstat -aon | find ":80" shows nothing connected. Still no validation.

Then IW tells me LE needs to be able to connect to "http://mail.." Browser is redirected to "https://"

Had some trouble with nslookup not working right - got that fixed. Now I'm in a loop with IW support.

At this point, I would HAPPILY pay for a cert if someone could help me get it working.

This all started last Sat when, out of the blue, Thunderbird (latest version) start complaining about invalid certs that had been working flawlessly. Had to tell Tbird to accept a security exception. IW could not update certs.

I started to try acme-win but it wants to bind to an IIS or some web instance. This box is a standalone mail server - no web, no media....just email.

Hi @TopperTom


You can switch to dns validation. Then you don't need a running webserver.

Or you can use a client that creates an own webserver, if port 80 is free.


why is your port 80 used? Is there a webserver? If yes, use that webserver to validate your domain.

No webserver. IW kept telling me that port 80 had to available from outside. Finally killed MS Branch Cache that was hooked into 80. As it is only a mail server, I don't want any web/http running on it but now IW is telling me the LE needs a web service running.

Is there a succinct explanation of how to use DNS to validate but, more importantly, how will IW know to use DNS to validate. I understand that IW is using the ACME protocol - will it know to use DNS if it can't hit an http?

Please check the documentation of that IW if you use it.

I don't know if IW supports dns validation.

But if IW works with http validation and if your port 80 is free, then all should work.

From your description, Icewarp is currently only presenting your domain certificate (leaf/end-entity) cert, not the intermediate certificate(s) that the certificate chain is made up of, so the cert fails in Thunderbird because it used to know about the old Let's Encrypt intermediate and doesn't know about the new one, so it expects to find it in your certificate chain instead: Note regarding transition to R3 intermediate with Firefox or Thunderbird

If the actual cert is renewing OK then the task is to find out how to get Icewarp to use the correct intermediate certificates, this can sometime be done on other servers by giving it a 'chain' file containing the intermediates and the root.

I don't know the first thing about Icewarp but from your description the built in ACME client that talks to Let's Encrypt needs to be up to date, so make sure it is.

For ACME certs, http validation works by presenting a specific http response file to Let's Encrypt when they ask for it. If validation has stopped working then something has change in your configuration or the server simply needs a restart. A lot of windows ACME clients (such as the one I maintain: start a temporary http listener in port 80, so you don't have to have IIS running, or it can even sit in front of IIS and just answer the acme challenges. I don't know if Icewarp has that feature.

DNS validation (also called dns-01) involves automatically asking Let's Encrypt for a challenge, this then roughly means your system has to add/update the TXT record with the value specified by Let's Encrypt. To do this can involve any number of DNS APIs and whether you will be able to use that feature depends on Icewarps acme support for DNS validation, and your DNS service.

You could use Certify The Web (or other tools) to fetch your certificate then script the certificate update to Icewarp.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.