I have obtained a certificate with Lets Encrypt that matches the FQDN of my IIS 6.0 SMTP but it is not used. What do I have to do to make this work?
Here some Screenshots for troubleshooting:
I have already found a similar thread: 2012 r2 iis 8.0 smtp tls
Unfortunately the person concerned writes about the solution: "I then tired creating the CSR from IIS itself and went through the same process with zerossl.com 3 and completed the cert process with IIS and it is now seen".
But I can't find the place where to make a CSR in IIS? Can anyone tell me where I can do this?
I have to say that probably in IIS 6.0 on Windows Server 2012R2 there was a button to do a CSR. But this button is no longer available in Windows Server 2019.
Since I'm a newbie, I'm not allowed to post any more pictures yet. Here are the other pictures. I hope this is ok:
I deliberately mentioned IIS 6.0. The background to this is that the SMTP Relay feature has not been further developed by Microsoft since then. This means that even on your Windows Server 2019 server you still have to install IIS 6.0.
It seems you've been creating identical certificates a lot recently: crt.sh | weltgold.de I count 5 identical certificates the last few days, which causes you to hit a rate limit. With good reason. Please don't generate duplicate certificates excessively unnecessary.
The issue here is not the certificate issuance with certbot, but the usage of that certificate. You said you've generated the certificate on a Debian computer with certbot: what have you done with those certificates after you've issued them? Transfered them to your Windows Server I assume? And somehow installed them? I see you've got a screenshot with "Zertifikate", so you've imported the cert somewhere apparently.
I am using Lets Encrypt certificates for my IIS 6.0 SMTP server, using standard win-acme client, so it is definitely possible
Your certificate is ok (name matches FQDN as set in IIS manager)
Your certificate is placed in the correct store (Local Computer\My)
Configuration of IIS also looks good (FQDN matches certificate)
Remember to restart "Simple Mail Transfer Protocol (SMTP)" service after messing around with certificates in order to force reload of certificates.
You might be subject to a bug in the IIS manager, which causes it to fail to show that a TLS certificate is indeed found and used. The System log in the Event Viewer will in that case output this message during startup of the SMTP-service:
A TLS server certificate was found for SMTP virtual server instance '1' with thumbprint 170b496e3bf35434dce8bce75a3247aa1e8c4d52. TLS will be available for this virtual-server.
You can pretty easy validate that the SMTP-server in deed is using the TLS-certificate by connecting to the SMTP-server using Telnet and issuing the starttls command, i.e.:
telnet 127.0.0.1 25
-> 220 abc.de Microsoft ESMTP MAIL Service, Version: 10.0.17763.1 ready at Thu, 3 Jun 2021 10:41:06 +0200
helo
-> 250 abc.de Hello [127.0.0.1]
starttls
-> 220 2.0.0 SMTP server ready
One other thing to note: Ensure that your automatic renewal also stores the renewed certificate to the Local Computer\My store! If you are using the win-acme client, it is just a matter of changing the DefaultStore in settings.json to "My":
The "IIS 6 Management Compatibility" feature does not mean IIS 6.0 is actually installed. It's just a shim that provides an IIS 6 compatible API surface to things like the SMTP Server feature that were never updated to work with newer IIS versions. Ultimately, you're still running the OS native version of IIS 8 or 8.5 or whatever.
