Certificate expired

I need help on renewing the certificate for

My domain is:mail.avortho.co.nz

Please advise on how to proceed. Thank you.

1 Like

Kind of hard to do when you've given us absolutely nothing to go on--the answers to the questions you were asked when you started this topic would be a good start. Without that, the best I can tell you is "whatever you did to get the cert in the first place, do it again."

1 Like

My bad. The expired certificate was issued to: mail.avortho.co.nz
Mailserver: Hmailserver 5.6.7-B2425
Operating system the hmailserver is running on: Windows Server 2016 version 1607 (OS Build 143939.3930)
When I open the expired certificate file and click Issuer Statement button, it takes me to this Letsencrypt website: ISRG CPS v3.2 - Let's Encrypt
I'm using the Hmailserver control/admin panel.
Let me know what further details are required. Thank you.

1 Like

Hi, which acme software are you using and what version is it? Likely options include:

  • Posh-ACME
  • Certify The Web
  • win-acme (also known as LEWS)
  • Certbot
  • Something else

What error is your software reporting?

If you look in windows task scheduler that may give you a clue, for instance if you have a scheduled task for win-acme, that would imply you're using that.

Alternatively, start again and install one of those.

1 Like

I found in the Program List: Certify The Web version 4.1.6
Also found a daily task scheduled at 5AM to update the certificate but looks like that did not work? The certificate shows is valid until May 15th, 2021

Ok, well luckily I'm the developer of that app (Certify). You should update to the latest version of the app (5.3.5) before proceeding. To do so, download it from https://certifytheweb.com and install it, this will update the existing app - the version you currently have is a couple of years old.

For Hmailserver you will find that there are two parts:

  • renewing your certificate. You can check the managed certificate status and log in Certify The Web
  • applying the latest certificate to HmailServer. The app doesn't have that function built in, so you are using a custom script that you supplied yourself. This is most likely being run after each renewal and in the latest version of Certify you will find this under Tasks. You can manually run the script task from the Certify UI and see if there is some error.

If the certificate is failing to renew the general reason will be shown in the managed certificate log. Common reasons would be recent firewall changes that block port 80 etc.


Note also that you should ensure a correct email address is specified under Settings > Certificate Authorities > (Let's Encrypt). As otherwise you will not receive warnings about failed renewals or expiring certificates.

I updated to version 5.3.5 and ensured the correct email address is specified under Settings > Certificate Authorities > (Let's Encrypt)

When I clicked renew I do get the below error about the firewall

You mentioned port 80 has to be enabled. Is there an external IP/URL that should be specified in the firewall exception?

No, Let's Encrypt uses multiple vantage points to verify the challenge and does not publish a list of hosts/IPs from where, also because that can change at any moment and isn't fixed. See the FAQ.

You need to open TCP port 80 (incoming) in windows firewall (and at the VM/cloud level if applicable) so that http validation can complete.

You probably closed it because you thought it wasn't being used but because you are using http validation Certify will act as a temporary http server just during validation. Let's Encrypt then ask the app to prove you control the domain by presenting a specific 'challenge response' as seen in the URL that is failing to load.

It is saying Success. However it also says Renewal will be attempted within 48 hrs?

I restarted the hmailservices and checked the certificate.Certificate still shows valid until May 15th, 2021. Does this mean the cert has not really renewed yet?

Interesting, I'll look at the issue with the status message to see if I can reproduce it but overall it looks like the actual certificate is renewing, but from your description whatever process you have to apply the certificate to hmailserver is not working.

Can you check in certmgr.msc > Personal > Certificates to ensure there is a current certificate there (there will likely be a few and one probably was created today and expires in 90 days. If that's all OK then you need to figure out what your script does. If you don't see a script task under the Tasks tab of your managed certificate in Certify then you just don't have a script (so either you have some scheduled task or someone removed the script as some point). Is there any possibility that someone was running some script manually during a maintenance window?

Also see the certify community forum for discussions around hmailserver: Search results for 'hmail' - Certify The Web - Support Community

If you can't find a new cert in your computer certificate store please email your certify log file for the managed certificate to support at certifytheweb.com and I'll have a look

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.