I also noticed that when building the URL
for LE to check, it doesn’t use the domain’s url_host value.
For example, if the domain is
fibernetcommunications.net, but my url_host value is
webmail.fibernetcommunications.net, it’s not used (as
suggests it should be)
tellmail ssl_update fibernetcommunications.net
Version 7.3p-21, Built Dec 11 2018 15:09:37, Platform
OK, firstname.lastname@example.org, users=unlimited,
flags=48, host=mail2:, prod=surgemail active=19710
check: fibernetcommunications.net Cannot find file
lets/fibernetcommunications.net/surge_cert.pem No such file
status: Account created ok
required for domain fibernetcommunications.net
Timeout during connect (likely firewall problem)
It should have been
From: Frank Bulk
Sent: Tuesday, September 10, 2019 11:13 PM
Subject: RE: tRE: [SurgeMail List] g_ssl_auto
feature - how?
I tried to turn up LE tonight, but every
domain failed, mainly because their url_host didn’t point to
Surgemail. No harm done.
But here’s an example of where the domain
does point to Surgemail, but fails when I ran “tellmail
check: webmail.schellingconstruction.com Cannot find file
such file or directory
status: Account created ok
required for domain webmail.schellingconstruction.com
error: Invalid response from
[18.104.22.168]: "The file you requested does not exist. The
url may be incorrect.\r\nRequested File:
Since we use two Surgemail servers behind a
load-balancer, when “tellmail ssl_update” runs on server #1,
who’s to say which of the two SurgeWeb’s the public LE server
is hitting when it runs its authorization? It would seem you
need to make sure the dynamically created challenge file is
synced to the other server before the public LE queries. I
don’t even see the “.wellknown” directory created on the other
server’s /var/Surgemail/www directory.
Also, if I can suggest a speed optimization
– before reaching out to LE to start the certificate creation
process, make sure that (1) the url_host value resolves to an
IP address (2) that it terminates on the SurgeWeb servers.
Thursday 06/06/2019 at 3:13 pm, Frank Bulk wrote:
does the “G_SSL_LETS_EXCLUDE” need to list each item
in “ssl_alias” to prevent a Lets Encrypt certificate
being created for that domain?
example, if I had several domains where I wanted to
use Lets Encrypt but wanted to exclude acme.com which
had webmail.acme.com with an ssl_alias entry of
“pop.acme.com, smtp.acme.com, mail.acme.com”, do I
configure g_ssl_lets_exclude with just
“mail.acme.com”, or do I need to list “mail.acme.com,
pop.acme.com, smtp.acme.com, webmail.com”?
list every name or alias to exclude.
that g_ssl_lets_exclude is not in your online
wish I could turn on Let’s Encrypt on a per-domain
basis, rather than globally enable and selectively
exclude. This would be much safer deployment approach
for us … if we forget to exclude just one domain we
may have “lost” its SSL certificate.
The ssl certificates for g_ssl_auto are placed in
/surgemail/lets... not surgemail/ssl... , so there is
double protection, it won't over-write any of the old
certificates in the ssl folders, you might just have to
copy them again to the lets folder path.
don't support wildcard certificates in letsencrypt
in surgemail, but we do allow aliases, just add
settings to the domain in question for any needed
Saturday 18/05/2019 at 3:56 am, Frank Bulk wrote:
just learned that an SSL certificate is only
created with the domain listed in “url_host”.
currently have an SSL certificate that
includes webmail and SAN (subject alternative
names) pop3, smtp, and imap. Is there support
in SM for that? We really can’t stop doing
that without creating a huge support
if we want a wildcarded LE certificate?
1/02/2019 11:35 AM, Frank Bulk wrote:
I had missed your previous response(s).
follow up questions:
happens if you forget to exclude those
certain domains – are the certificates in
the SSL directory ignored and those
auto-generated in lets used?
if you forget the setting it will probably
over-write the ones you've coppied in with new
how do you “recover” if then want to have
custom SSL certificates – do you just add
them to g_ssl_lets_exclude, copy the files
for that domain from the ssl directory to
the lets directory, and execute “tellmail
reload”? Or do you have to restart
fix the exclude setting, copy them again from
ssl to lets folder, and
you can but it's a bit tricky.
1) You need a recent build 7.3p at least
2) You copy the ssl directory tree to the
lets directory tree (or the relevant domains
folders at least)
3) you set G_SSL_LETS_EXCLUDE
Tuesday 29/01/2019 at 3:42 am, Frank Bulk
feedback on this? Can we turn this on
only for those domains we don’t already
have a separate certificate in place?
I had been meaning to ask if we could
turn this on only for domains that we
don't already have a cert in place.
Sent from my Android phone using
From: Jeff Crowe [email@example.com]
Received: Wednesday, 31 Oct 2018,
Subject: [SurgeMail List]
g_ssl_auto feature - how?
have been looking for a fix for my
broken Chrome SSL certs today and
ran across this gem on the surgemail
Version 7.3j2 or later
this version of surgemail ssl
certificates are created and signed
completely automatically for all
domains, with one setting, no
certbot or other external programs
signing authority is being used?
it lets encrypt built into
it enable add certs for all
services like pop3, imap, smtp as
well as https?
it automatically new certs close
lastly, where do I download this
version? the current version on
the download site is 7.3i2.
minds want to know!