Replace a TLS certificate for SMTP Server in Windows Server 2019

ssl-certificate smtp windows-server-2019

Some time ago I set up an SMTP server on a Windows Server 2019 machine. The FQDN for this server is smtp.mydomain.com and the smart host is set as smtp-relay.gmail.com, though I don't think that this is important.

I installed a wildcard certificate (*.mydomain.com) generated by the Let's Encrypt CA to the Personal store and was able to set up TLS for the SMTP server:

enter image description here

Now, I want to update the certificate. For this, I installed an updated certificate with the same subject (CA=*.mydomain.com) generated by the same CA to the Personal store. Then I stopped the SMTP server and deleted the old certificate. After that, I started the server and went to check if the new certificate had been caught, but it was not!

enter image description here

The message tells "TLS is not available without a certificate." that means that SMTP server cannot find the correct certificate. I read a dozen blogs and QAs, but was unable to resolve this.

Does anybody know how to correctly update a certificate for an SMTP server on a Windows Server 2019 machine?

Update -- The new certificate contains a private key and works fine for a web server running on the same machine.


Solution 1:

I have same issue with some differences.
I am in the middle of investigation, my up to now findings:

I do not use wildcard certificate, I have Let's Encrypt certificate with SANs. It had worked for several months, three renews were done without any issue. Now, after the fourth renew SMTP stopped working. The last working certificate was issued on 2020-07-28, the renewal was done on 2020-09-22. If the certificate is a root of the problem, then there was some change on Let's Encrypt's side in this time period.

The bahaviour is strange. When smtpsvc service starts, it finds the certificate, it logs

A TLS server certificate was found for SMTP virtual server instance '1' with thumbprint <certificate_thumbprint_removed>. TLS will be available for this virtual-server.

in the Event Log, but in Internet Information Services (IIS) 6.0 Manager in SMTP Virtual Server properties on tab Access in Secure communication section I can see

TLS is not available without a certificate.

There had to be some changes in certificate itself, or there were some Windows updates changing smtpsvc functionality or there were some changes regarding SSL/TLS.

By the way, I found Microsoft has a bug in the code of the smtpsvc service. If you use a certificate with Subject Alternative Names (SAN), when it searches for suitable certificate it does not check Commmon Name (CN), it checks the first entry in SAN list only! If the first SAN matches the FQDN entered on tab Delivery, button Advanced..., in the field Fully-qualified domain name, smtpsvc will use the certificate. If matching name is in CN or in the second, third, etc. place in SAN list, it will not use the certificate and log

No usable TLS server certificate for SMTP virtual server instance '1' could be found. TLS will be disabled for this virtual-server.

Related

Delivered to internal network by a host with no rDNS
proFTPd w/ MySQL Auth, behind NAT - Failed to retrieve directory listing
HP DL380 G8 Fan #6 Running at full speed when server is powered off
Built PHP from source with custom DataDirect ODBC drivers, but can't auto start with systemd
How to clean up old connections before mapping a new drive?
Can't get USB/IP to work
apache nodejs proxy server
CUPS basic auth error through web interface
Redis cluster master restarting after a time period
How do you use the /tp command?
Comparator won't work
How does MMR work?