English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Alternatives to LetsEncrypt certificates
-
This is more of a feature request.
It was recently announced that TLS certificate lifetimes are going to be, once again, dramatically reduced in phases. Eventually the lifetime will be 47 days as of March 15, 2029.
Here’s the schedule:
-
The maximum certificate lifetime is going down:
- From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
- As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
- As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
- As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
Obviously this means we, as administrators, will need to implement automation to manage these certificate renewals. Services like LetsEncrypt work well to get around this. However, LetsEncrypt does have its limitations- primarily in how it requires port 80 be open for verification. In regards to Mdaemon, not all of us utilize the webmail feature and/or allow Mdaemon webmail to run on port 80. Those of us that fall in to that category, and that can't use DNS for verification, cannot use the built-in LetsEncrypt in Mdaemon to manage these certificates. In my case I've been using traditional certificates and just renew them before they expire. That's not going to be an option in the coming years due to these drastic lifetime age changes.
There are other ACME compatible certificate services that are available and that don't use the same mechanism LetsEncrypt uses for verification. One such provider is ZeroSSL. They have a free ACME compatible certificate that uses EAB (External Account Binding) credentials for verification instead of the HTTP process LetsEncrypt uses. This is perfect for those of us that can't use HTTP verification for whatever reason.
https://zerossl.com/documentation/acme/
Can this functionality be added to Mdaemon as an option? I've been using it for my standard IIS certificates using WinACME (it's a fairly simple change in the WinACME settings.json to enable the ZeroSSL/EAB option). ZeroSSL also provides a portal you can use to manage your certificates, etc. The services is FAR more feature rich than LetsEncrypt.
-
-
What prevents you from using 3rd party tools such as WinAcme to update the MDaemon certificate?
Is it because you still have to tell MDaemon to use the new certificate?
-
Yes, it is because of having to manually select the certificate in Mdaemon. On one of the installs where Mdaemon and IIS are on the same box and we are using ZeroSSL via WinACME, I can see the ZeroSSL certificates in Mdaemon. But have to manually choose them. The issue with that is it creates additional management burden to keep up with manually selecting the new certificate every 60 days (for example).
-
OK, I've added a wish list item to try to address the issue.
Thank you for sharing your feedback!
-
Excellent! I look forward to seeing this as an added feature in a future release.
Thank you!
-
Just happened to see the release notes for the 25.5.0a beta and saw this:
"
- [28655] A new SSL/TLS option has been added: "Automatically detect and activate newer certificates". When enabled, MDaemon will check at startup and during its daily maintenance for newer versions of each active certificate for MDaemon, Webmail, and Remote Administration. If another certificate on the system expires later, is for the same hostname, and includes all alternative hostnames, MDaemon will automatically switch to it and restart the affected servers. This option is enabled by default."
I'm definitely looking forward to this! Thanks!
-
You are welcome! If you are able, we would greater appreciate any and all help testing new functionality in the beta version.
-
@Arron I'll see if I can spin up a test server and give it a go. If so, I'll report on my test/findings.
-
I'm just testing this, and it is working well. I still have an issue to work out with getting port 443 traffic routed to the mail server, as it currently hits an nginx server, and I can't quite get the configuration right to filter the acme challenge to the mail server automatically, but when I just route all 443 to the mail server, win-acme works and the certificates are installed. I did notice what appears to be a UI issue only while testing. When I first ran win-acme and the certificates were updated, I opened a configuration session and saw that the certs were found and correctly checked and starred. In testing my routing issue, I forced the certificate renewal without caching, and the existing certificates were removed, the new ones installed, but they weren't checked or starred. This is probably just because I had a configuration session still open. The server kept handling mail correctly. All I have left is figuring out the nginx issue, automating the win-acme renewal, and perhaps switching win-acme to use my zero-ssl instead of letsencrypt. Nice!
Edit: win-acme had already set the daily renewal check.
-
The first time I generated new certificates using win-acme, changing from zero-ssl to lets-encrypt in the process, MDaemon correctly showed both certs as checked, and the default as starred, but in testing to get my routing of port 443 worked out, I've generated new certs from lets-encrypt a few times and they don't show as checked. It's not just a UI problem as I first thought. If I restart the web server it complains about not having a certificate, so I have to go in and select them.
-
I think I understand what's happening. If only the date of the cert is changed, the old cert is overwritten, and MDaemon isn't able to pick up the new one. When I generated a cert on the staging server, that was added to the list, and MDaemon picked it up and switched over. Of course the last thing I wanted was for MDaemon to be using a cert from the STAGING server, but that's just a sign I need to continue working on this on a machine that's not running my mail server. :)
-
MDaemon only checks for newer versions of active certificates at startup and during nightly maintenance. MDaemon expects the current certificate that it is using to remain in place the entire time its in use. If the current certificate disappears from the machine, the system will not function correctly.
We'll look into adding more checks to try to prevent MDaemon from automatically switching to a staging cert.
-
I shut down MDaemon and did a force renew on the certificate, and again MDaemon didn't pick up the new certificates when started. Makes sense I suppose. The first time I generated the letsencrypt certs, the old zero-sll certs were of course not replaced, so MDaemon picked up the new certs gracefully on startup. I think the issue can be fixed by adding --keep-existing to the renewal command that win-acme generates, but I've yet to verifiy it. Maybe then will write a script to remove expired certs the next time the renewal runs, so there would only be one old cert hanging around at any time. I got my nginx running in a Docker container on one machine passing the acme challenges through to win-acme running on the mail server's machine, so I'm very close to being able to not worry about certs expiring as their ttls shrink and my travels grow. Nice!
