Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Support > Archive > Let's Encrypt Renewal

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Support  / Archive  /

Let's Encrypt Renewal

[Caruth, Arron]
Arron Caruth
Administrator
Administrator
Posts: 1714
Arron Caruth - 07:04am, Apr 19 2017

Hi Rob,

 

The script will need to be ran to renew the certificate.  My recommendation would be to setup a task in Windows Task Scheduler to run the script at the desired interval.

 

Below is an example of the arguments to use when running via Task Scheduler.

 

-ExecutionPolicy Bypass C:\MDaemon\LetsEncrypt\letsencrypt.ps1 -AlternateHostNames mail.mydomain.com,wc.mydomain.com,autodiscover.mydomain.com -To admin@mydomain.com

 

 

-- 

Arron Caruth
Director of Product Development
Alt-N Technologies
http://www.altn.com

 

Sent using Alt-N's own MDaemon Messaging Server   
Now available with  BYOD Mobile Device Management, 
Document Sharing, Hijacked Account Detection and more.

Get to know the Alt-N family by liking us on Facebook!

 

From: MD-Beta@altn.com [mailto:MD-Beta@altn.com] On Behalf Of Rob Deal
Sent: Tuesday, April 18, 2017 11:06 PM
To: Alt-N (md-beta@altn.com)
Subject: [MD-Beta] Let's Encrypt Renewal

 

Hi Guys

 

Is there an automated feature in MDaemon to renew the Let’s Encrypt cert or is this a manual task?

 

If it is a manual task, what is the procedure to renewal the cert?

 

 

Regards,

 

Rob Deal

Technical Director

Orion Computers Pty Ltd

 

This email is powered by the MDaemon Messaging Server

 

 
 
--------------------------------------------------------------------------
Information discussed on the Alt-N Technologies Beta list may not be
shared outside of this forum. Participants on the Beta List are strictly
prohibited from disclosing information found on this forum, or in product
beta release notes/executables, to any web site, blog, Internet forum, or
public Internet site. Information about pre-release products and future
product plans is private.
 
Beta subscriptions can be managed by logging into www.altn.com and 
clicking My Account.
--------------------------------------------------------------------------

--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe
from this mailing list send an email to md-support-unsubscribe@altn.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
--------------------------------------------------------------------------

  (older msg: 6)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Jay Tolbert - May 24, 2017 12:03 pm (#7 Total: 7)  

 

Photo of Author
Jay Tolbert
Guru
Guru
Posts: 2836

MDaemon
RelayFax
SecurityPlus
WebAdmin
The Renewal Exemption should still allow you to renew even if you
exceeded the Duplicate Certificate limit.

That said, there does not seem to be a reason to schedule renewal checks
more frequently than weekly. With a weekly renewal check, there are 4
attempts after 60 days (when they recommend renewing) to get a
successful transaction before the certificate expires in 90 days. Plus
that allows scheduling the MDaemon restart at a low use time.

Depending upon when they let you renew a certificate, the 28 day method
may only give you one chance at a successful renewal. If a certificate
is renewed at day 0, it would try again at day 28, then again at day 56
(I assume this is still too early since it's less than 60), then try
again at day 84. If the day 84 try failed, the next try would be at day
112 which is after expiration. To get two attempts in the 60-90 day
window you would need to use a 30 day period (renewal attempts on days
60 an 90) or any period not longer than 22 days (renewals at days 66 and
88).

Jay Tolbert
Dickerson Engineering, Inc.

On 5/24/2017 1:25 AM, Dave Warren wrote:
> Actually in context, Duplicate Certificate limit of 5 certificates per
> week would bite you first if you were renewing too often. Nonetheless,
> you could even renew weekly without anything blowing up in your
> (proverbial) face, if desired.
>
> On Tue, May 23, 2017, at 23:24, Dave Warren wrote:
>> Indeed, it's a bit of a different design. Let's Encrypt limits you to 20
>> certificates per domain, per week, so you could realistically run it far
>> more often if you wanted. Every 60 days worries me because if anything
>> fails, the certificate will expire before the script is called again.
>>
>> certbot's approach is arguably better because if you follow the
>> recommendations there will be 2*30 chances to renew a certificate, so
>> transient errors won't cause any harm.
>>
>> I might suggest running the script every 28 days, this is renewing more
>> than necessary but not excessively so, but if a transient failure occurs
>> there will be two more chances for the certificate to get renewed before
>> it expires at 90 days.
>>
>> https://letsencrypt.org/docs/rate-limits/ has details.
>>
>> If you understand how webcal:// feeds work, you might check out
>> domainical.org which is a (currently free) service to monitor when
>> domains and certificates expire. You can add the feed (not the ICS file,
>> the actual feed) into many calendars (not WorldClient though), it will
>> show you expiry dates as calendar events. When the certificate is
>> renewed, the appointment will be moved (within 24 hours), so it's an
>> "out of sight, out of mind" approach until you see the appointment in
>> the next couple of weeks, then you know you need to step in and
>> investigate.
>>
>>
>>
>> On Tue, May 23, 2017, at 23:04, Alex H wrote:
>>> Thanks Rob. That's how I set it up for now.
>>>
>>> I was asking because certbot (previously known as "the official Let’s
>>> Encrypt client") recommends to run their update check twice a day. But,
>>> in contrast to the MDaemon powershell script, they seem to check if the
>>> cert is close to expiry or was revoked etc - and do nothing if no action
>>> is required.
>>>
>>> I tried running C:\MDaemon\LetsEncrypt\letsencrypt.ps1 a second time (to
>>> test the Task Scheduler) and it indeed seemed to download the cert again
>>> (or a new cert) and restart MDaemon. So I settled for 60 days instead.
>>>
>>> Reference from certbot instructions:
>>>
>>>> Note:
>>>>
>>>> if you're setting up a cron or systemd job, we *recommend running it
>>>> twice per day* (it won't do anything until your certificates are due
>>>> for renewal or revoked, but running it regularly would give your site
>>>> a chance of staying online in case a Let's Encrypt-initiated
>>>> revocation happened for some reason). Please select a random minute
>>>> within the hour for your renewal tasks.
>>>>
>>> - Alex
>>>
>>>
>>> On 24-May-17 13:00, Rob Deal wrote:
>>>> Hi Alex
>>>>
>>>> Let's Encrypt recommend renewing every 60 day.
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Rob Deal
>>>> Technical Director
>>>> Orion Computers Pty Ltd
>>>> Ph: 03 9645 2224
>>>> Fax: 03 9645-1112
>>>> Mob: 0417 316 117
>>>>
>>>> This email is powered by the MDaemon Messaging Server
>>>>
>>>> -----Original Message-----
>>>> From: md-support@altn.com [mailto:md-support@altn.com] On Behalf Of Alex H
>>>> Sent: Wednesday, 24 May 2017 11:15 AM
>>>> To: md-support@altn.com
>>>> Subject: [md-support] Let's Encrypt Renewal
>>>>
>>>> Hi Arron,
>>>>
>>>> how often do you run this via Task Scheduler?
>>>>
>>>> - Alex
>>>>
>>>> On 19-Apr-17 20:04, Arron Caruth wrote:
>>>>> Hi Rob,
>>>>>
>>>>> The script will need to be ran to renew the certificate. My
>>>>> recommendation would be to setup a task in Windows Task Scheduler to
>>>>> run the script at the desired interval.
>>>>>
>>>>> Below is an example of the arguments to use when running via Task
>>>>> Scheduler.
>>>>>
>>>>> -ExecutionPolicy Bypass C:\MDaemon\LetsEncrypt\letsencrypt.ps1
>>>>> -AlternateHostNames
>>>>> mail.mydomain.com,wc.mydomain.com,autodiscover.mydomain.com -To
>>>>> admin@mydomain.com <mailto:admin@mydomain.com>
>>>>>
>>>>> --
>>>>>
>>>>> Arron Caruth
>>>>> Director of Product Development
>>>>> Alt-N Technologies
>>>>> http://www.altn.com <http://www.altn.com/>
>>>>>
>>>>> Sent using Alt-N's own MDaemon Messaging Server <http://www.altn.com/>
>>>>> Now available with BYOD Mobile Device Management, Document Sharing,
>>>>> Hijacked Account Detection and more.
>>>>>
>>>>> Get to know the Alt-N family by liking us on Facebook
>>>>> <https://www.facebook.com/pages/Alt-N-Technologies-MDaemon/220307374735000?ref=hl>!
>>>>>
>>>>> *From:*MD-Beta@altn.com [mailto:MD-Beta@altn.com] *On Behalf Of *Rob
>>>>> Deal
>>>>> *Sent:* Tuesday, April 18, 2017 11:06 PM
>>>>> *To:* Alt-N (md-beta@altn.com)
>>>>> *Subject:* [MD-Beta] Let's Encrypt Renewal
>>>>>
>>>>> Hi Guys
>>>>>
>>>>> Is there an automated feature in MDaemon to renew the Let’s Encrypt
>>>>> cert or is this a manual task?
>>>>>
>>>>> If it is a manual task, what is the procedure to renewal the cert?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Rob Deal
>>>>>
>>>>> Technical Director
>>>>>
>>>>> Orion Computers Pty Ltd
>>>>>
>>>>> This email is powered by the MDaemon Messaging Server
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> ---- Information discussed on the Alt-N Technologies Beta list may not
>>>>> be shared outside of this forum. Participants on the Beta List are
>>>>> strictly prohibited from disclosing information found on this forum,
>>>>> or in product beta release notes/executables, to any web site, blog,
>>>>> Internet forum, or public Internet site. Information about pre-release
>>>>> products and future product plans is private.
>>>>> Beta subscriptions can be managed by logging into www.altn.com
>>>>> <http://www.altn.com> and clicking My Account.
>>>>> ----------------------------------------------------------------------
>>>>> ----
>>>>> --MD-SUPPORT----------------------------------------------------------
>>>>> ---- This list is for questions and discussion about MDAEMON. To
>>>>> unsubscribe from this mailing list send an email to
>>>>> md-support-unsubscribe@altn.com .
>>>>> --POWERED BY
>>>>> MDAEMON!-----------------------------------------------------
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> ---- These forums are provided by Alt-N Technologies for user-to-user
>>>>> support and discussion. Alt-N staff members may participate in the
>>>>> forums periodically but please recognize that this is not the official
>>>>> method of receiving technical support. To receive personal technical
>>>>> support please use the form here:
>>>>> http://www.altn.com/Support/RequestSupport/
>>>>> ----------------------------------------------------------------------
>>>>> ----
>>>>
>>>> ------------------------------------------------------
>>>> View/reply at <http://lists.altn.com/WebX?13@@.5986230e/0>
>>>>
>>>> --MD-SUPPORT--------------------------------------------------------------
>>>> This list is for questions and discussion about MDAEMON. To unsubscribe from this mailing list send an email to md-support-unsubscribe@altn.com .
>>>> --POWERED BY MDAEMON!-----------------------------------------------------
>>>>
>>>> --------------------------------------------------------------------------
>>>> These forums are provided by Alt-N Technologies for user-to-user support and discussion. Alt-N staff members may participate in the forums periodically but please recognize that this is not the official method of receiving technical support. To receive personal technical support please use the form here:
>>>> http://www.altn.com/Support/RequestSupport/
>>>> --------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> --MD-SUPPORT--------------------------------------------------------------
>>>> This list is for questions and discussion about MDAEMON. To unsubscribe
>>>> from this mailing list send an email to md-support-unsubscribe@altn.com .
>>>> --POWERED BY MDAEMON!-----------------------------------------------------
>>>>
>>>> --------------------------------------------------------------------------
>>>> These forums are provided by Alt-N Technologies for user-to-user
>>>> support and discussion. Alt-N staff members may participate in the
>>>> forums periodically but please recognize that this is not the official
>>>> method of receiving technical support. To receive personal technical
>>>> support please use the form here:
>>>> http://www.altn.com/Support/RequestSupport/
>>>> --------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------
>>> View/reply at <http://lists.altn.com/WebX?13@@.5986230e/2>
>>>
>>> --MD-SUPPORT--------------------------------------------------------------
>>> This list is for questions and discussion about MDAEMON. To unsubscribe
>>> from this mailing list send an email to md-support-unsubscribe@altn.com .
>>> --POWERED BY
>>> MDAEMON!-----------------------------------------------------
>>>
>>> --------------------------------------------------------------------------
>>> These forums are provided by Alt-N Technologies for user-to-user
>>> support and discussion. Alt-N staff members may participate in the
>>> forums periodically but please recognize that this is not the official
>>> method of receiving technical support. To receive personal technical
>>> support please use the form here:
>>> http://www.altn.com/Support/RequestSupport/
>>> --------------------------------------------------------------------------
>>>
>>>
>
> --MD-SUPPORT--------------------------------------------------------------
> This list is for questions and discussion about MDAEMON. To unsubscribe
> from this mailing list send an email to md-support-unsubscribe@altn.com .
> --POWERED BY MDAEMON!-----------------------------------------------------
>
> --------------------------------------------------------------------------
> These forums are provided by Alt-N Technologies for user-to-user
> support and discussion. Alt-N staff members may participate in the
> forums periodically but please recognize that this is not the official
> method of receiving technical support. To receive personal technical
> support please use the form here:
> http://www.altn.com/Support/RequestSupport/
> --------------------------------------------------------------------------
>
>
>




  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.