I have obtained a certificate with Lets Encrypt that matches the FQDN of my IIS 6.0 SMTP but it is not used. What do I have to do to make this work?
Here some Screenshots for troubleshooting:
I have already found a similar thread: 2012 r2 iis 8.0 smtp tls
Unfortunately the person concerned writes about the solution: "I then tired creating the CSR from IIS itself and went through the same process with zerossl.com 3 and completed the cert process with IIS and it is now seen".
But I can't find the place where to make a CSR in IIS? Can anyone tell me where I can do this?
I have to say that probably in IIS 6.0 on Windows Server 2012R2 there was a button to do a CSR. But this button is no longer available in Windows Server 2019.
Since I'm a newbie, I'm not allowed to post any more pictures yet. Here are the other pictures. I hope this is ok:
You mentioned IIS 6 a couple of times, this is the version that came with Server 2003, are you sure it's not actually IIS 8.5?
What tool/process did you use to get your certificate? e.g. win-acme, certbot, Certify The Web, Posh-ACME etc.
I deliberately mentioned IIS 6.0. The background to this is that the SMTP Relay feature has not been further developed by Microsoft since then. This means that even on your Windows Server 2019 server you still have to install IIS 6.0.
I created the certificate on Debian 10 with certbot (1.15.0) as a wildcard certificate with this plugin GitHub - HyP3r-/certbot-dns-ionos: A certbot plugin for enabling DNS authentication with IONOS. The background to this is that the original repository cannot request wildcard sub-domains. Therefore I had to make a fork.
It seems you've been creating identical certificates a lot recently: crt.sh | weltgold.de I count 5 identical certificates the last few days, which causes you to hit a rate limit. With good reason. Please don't generate duplicate certificates excessively unnecessary.
The issue here is not the certificate issuance with certbot, but the usage of that certificate. You said you've generated the certificate on a Debian computer with certbot: what have you done with those certificates after you've issued them? Transfered them to your Windows Server I assume? And somehow installed them? I see you've got a screenshot with "Zertifikate", so you've imported the cert somewhere apparently.
Perhaps this thread helps?
It seems the user Gus75 has a correct answer according to the user David Chester in that thread..
As it's an extremely old component it may need certs with the old CSP:
Win-acme also creates legacy csp compatible certs by default, so you could just use that.
I am using Lets Encrypt certificates for my IIS 6.0 SMTP server, using standard win-acme client, so it is definitely possible
- Your certificate is ok (name matches FQDN as set in IIS manager)
- Your certificate is placed in the correct store (Local Computer\My)
- Configuration of IIS also looks good (FQDN matches certificate)
Remember to restart "Simple Mail Transfer Protocol (SMTP)" service after messing around with certificates in order to force reload of certificates.
You might be subject to a bug in the IIS manager, which causes it to fail to show that a TLS certificate is indeed found and used. The System log in the Event Viewer will in that case output this message during startup of the SMTP-service:
A TLS server certificate was found for SMTP virtual server instance '1' with thumbprint 170b496e3bf35434dce8bce75a3247aa1e8c4d52. TLS will be available for this virtual-server.
You can pretty easy validate that the SMTP-server in deed is using the TLS-certificate by connecting to the SMTP-server using Telnet and issuing the starttls command, i.e.:
telnet 127.0.0.1 25
-> 220 abc.de Microsoft ESMTP MAIL Service, Version: 10.0.17763.1 ready at Thu, 3 Jun 2021 10:41:06 +0200
-> 250 abc.de Hello [127.0.0.1]
-> 220 2.0.0 SMTP server ready
If the server is open from the internet, you can also use an online tool like: https://ssl-tools.net/mailservers/
One other thing to note: Ensure that your automatic renewal also stores the renewed certificate to the Local Computer\My store! If you are using the win-acme client, it is just a matter of changing the DefaultStore in settings.json to "My":
Finally, a few other things to note:
- Make sure there is only a single certificate in the Local Computer\My store for the same name (weltgold.de)
- Don't use certificates with multiple SAN, since IIS also has a bug ignoring all but the first name listed in the SAN
Best of luck!
The "IIS 6 Management Compatibility" feature does not mean IIS 6.0 is actually installed. It's just a shim that provides an IIS 6 compatible API surface to things like the SMTP Server feature that were never updated to work with newer IIS versions. Ultimately, you're still running the OS native version of IIS 8 or 8.5 or whatever.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.