1 Topic by pepito_palotes2000

  • pepito_palotes2000
  • Member
  • Offline
  • Registered: 2015-01-14
  • Posts: 6

Topic: How to setup PositiveSSL digital certificate from Comodo (solved)

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Centos 6.6
- Related log if you're reporting an issue:
====

I would like to share that to the community.

I have just purchased a PositiveSSL digital certificate from Comodo.

I received 6 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_name_server.crt
private.key
ServerCertificate.pfx

To install the certificate in iRedMail you must:
1. Backup iRedMail default certificate
cp /etc/pki/tls/certs/iRedMail_CA.pem /etc/pki/tls/certs/iRedMail_CA.pem.Backup
cp /etc/pki/tls/private/iRedMail.key /etc/pki/tls/private/iRedMail.key.Backup

2. Concatemate these three into a single file, in this particular order and name the result as certificate.pem (for example)
cat my_name_server.crt > certificate.pem
cat COMODORSADomainValidationSecureServerCA.crt >> certificate.pem
cat COMODORSAAddTrustCA.crt >> certificate.pem

After concatenation, the file should look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----

3. Overwrite /etc/pki/tls/certs/iRedMail_CA.pem with certificate.pem
mv -f certificate.pem /etc/pki/tls/certs/iRedMail_CA.pem

4. Overwrite /etc/pki/tls/private/iRedMail.key with private.key
mv -f private.key /etc/pki/tls/private/iRedMail.key

5. Restart iRedMail server to apply changes to all system services (dovecot, postfix, apache, etc...)

Best regards

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by dorpha

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

for step 2. you could simply do:

cat my_name_server.crt + COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt  > certificate.pem

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Thanks for sharing. smile

4 Reply by Jon Bellamy

  • Jon Bellamy
  • Member
  • Offline
  • Registered: 2016-06-22
  • Posts: 6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

pepito_palotes2000 wrote:

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Centos 6.6
- Related log if you're reporting an issue:
====

I would like to share that to the community.

I have just purchased a PositiveSSL digital certificate from Comodo.

I received 6 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_name_server.crt
private.key
ServerCertificate.pfx

To install the certificate in iRedMail you must:
1. Backup iRedMail default certificate
cp /etc/pki/tls/certs/iRedMail_CA.pem /etc/pki/tls/certs/iRedMail_CA.pem.Backup
cp /etc/pki/tls/private/iRedMail.key /etc/pki/tls/private/iRedMail.key.Backup

2. Concatemate these three into a single file, in this particular order and name the result as certificate.pem (for example)
cat my_name_server.crt > certificate.pem
cat COMODORSADomainValidationSecureServerCA.crt >> certificate.pem
cat COMODORSAAddTrustCA.crt >> certificate.pem

After concatenation, the file should look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----

3. Overwrite /etc/pki/tls/certs/iRedMail_CA.pem with certificate.pem
mv -f certificate.pem /etc/pki/tls/certs/iRedMail_CA.pem

4. Overwrite /etc/pki/tls/private/iRedMail.key with private.key
mv -f private.key /etc/pki/tls/private/iRedMail.key

5. Restart iRedMail server to apply changes to all system services (dovecot, postfix, apache, etc...)

Best regards

Has anyone successfully done this with Debian Jessie and PGSQL?

When I follow this Roundcube & admin are inaccessable via it's IP and accounts inaccessable to clients (Timing out).

Any pointers on how to troubleshoot this?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Hi Jon,

We have a tutorial for you:
http://www.iredmail.org/docs/use.a.boug … icate.html

6 Reply by Jon Bellamy

  • Jon Bellamy
  • Member
  • Offline
  • Registered: 2016-06-22
  • Posts: 6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Hi Zhang,

Thanks for this, I have followed this tutorial in the past when using Let's Encrypt certs and all worked fine.

For some reason the Comodo one is causing me trouble. I'll spin up a fresh server and re-try it.

7 Reply by Jon Bellamy

  • Jon Bellamy
  • Member
  • Offline
  • Registered: 2016-06-22
  • Posts: 6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Jon Bellamy wrote:

Hi Zhang,

Thanks for this, I have followed this tutorial in the past when using Let's Encrypt certs and all worked fine.

For some reason the Comodo one is causing me trouble. I'll spin up a fresh server and re-try it.

I tried it again with a fresh install of apache/mySQL/debian jessie and the same thing.

Is there a reputable combination of cert that is proven to work. Let's Encrypt's 3 month renewal doesn't work for us.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

I'm confused.

You should generate a key file and submit to your SSL vendor to sign it, then you should get one cert file and one bundle file from SSL vendor. You don't need to modify any of them, just copy them to proper directory, then update Postfix/Dovecot/Apache/Nginx config files to use them. That's it. Your first post in this thread implies that you modified them.

Jon Bellamy wrote:

Is there a reputable combination of cert that is proven to work. Let's Encrypt's 3 month renewal doesn't work for us.

Let's Encrypt works fine with Postfix/Dovecot/Apache/Nginx/..., why it doesn't work for you? You can renew it before expire, then restart services.

9 Reply by Jon Bellamy

  • Jon Bellamy
  • Member
  • Offline
  • Registered: 2016-06-22
  • Posts: 6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

ZhangHuangbin wrote:

I'm confused.

You should generate a key file and submit to your SSL vendor to sign it, then you should get one cert file and one bundle file from SSL vendor. You don't need to modify any of them, just copy them to proper directory, then update Postfix/Dovecot/Apache/Nginx config files to use them. That's it. Your first post in this thread implies that you modified them.

Jon Bellamy wrote:

Is there a reputable combination of cert that is proven to work. Let's Encrypt's 3 month renewal doesn't work for us.

Let's Encrypt works fine with Postfix/Dovecot/Apache/Nginx/..., why it doesn't work for you? You can renew it before expire, then restart services.

I followed the instructions to copy the concatented file to the location of iRedMali_CA.pem However that file doesn't exist under a debian installation. Under these instruction I should have to modify Postfix, dove cot etc just reboot. However when I reboot I cannot even reach the admin panel via it's IP.

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Instead of replacing the ssl cert/key generated by iRedMail, you can simply copy to same (or different) directory, then update Postfix/Dovecot/... config files to use the correct one.

11 Reply by Jon Bellamy

  • Jon Bellamy
  • Member
  • Offline
  • Registered: 2016-06-22
  • Posts: 6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

ZhangHuangbin wrote:

Instead of replacing the ssl cert/key generated by iRedMail, you can simply copy to same (or different) directory, then update Postfix/Dovecot/... config files to use the correct one.

I have tried this. same result.

Connections to the server “mail.xxxxx.com” on the default ports timed out.

Where I used the concatonated pem file instead of iRedmail.crt in Dovecot and Postix.

I didnt add the bundle line to postfix as I don't have one.

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Jon Bellamy wrote:

I didnt add the bundle line to postfix as I don't have one.

Then add it manually.

I configured SSL with different SSL vendors many times, all work fine. There must be some wrong steps in your setup.
It's very simple: copy your ssl key, cert, bundle files to server, then update config files to use them. that's it.

13 Reply by Jon Bellamy

  • Jon Bellamy
  • Member
  • Offline
  • Registered: 2016-06-22
  • Posts: 6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

ZhangHuangbin wrote:
Jon Bellamy wrote:

I didnt add the bundle line to postfix as I don't have one.

Then add it manually.

I configured SSL with different SSL vendors many times, all work fine. There must be some wrong steps in your setup.
It's very simple: copy your ssl key, cert, bundle files to server, then update config files to use them. that's it.

Comodo don't give you a bundle file.

14 Reply by Frankstar (edited by Frankstar 2017-01-06 02:25:17)

  • Frankstar
  • Member
  • Offline
  • Registered: 2010-09-27
  • Posts: 70

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

well you dont need the bundle file at all.

Copy the files to the correct locations

SSLCertificateFile -> /etc/pki/tls/certs/yourcertname.crt
SSLCertificateKeyFile -> /etc/pki/tls/private/yourprivatekeyname.key
SSLCACertificateFile -> /etc/pki/tls/certs/yourcacertname.crt

if you get a single file from comodo split it in seperate files.
if you get an Email with the certs in plain text -> copy them into files.

and so on.

and than adjust services (centos as example)

/etc/httpd/conf.d/ssl.conf
/etc/dovecot/dovecot.conf   
/etc/postfix/main.cf

15 Reply by iliya

  • iliya
  • Member
  • Offline
  • Registered: 2020-02-27
  • Posts: 2

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

How can install PositiveSSL digital certificate from Comodo?

I received 4 files:

AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt
SectigoRSADomainValidationSecureServerCA.crt
yourcacertname.crt

Which folder the files are copied to.... ?

I copied 4 files to /etc/pki/tls/certs

How can concatemate these three into a single file ?
I try commands cat yourcacertname.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
catyourcacertname.crt  COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt  > certificate.pem

Return: No such file or directory

16 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Hi Iliya,

Does this tutorial help?
https://docs.iredmail.org/use.a.bought. … icate.html

17 Reply by iliya

  • iliya
  • Member
  • Offline
  • Registered: 2020-02-27
  • Posts: 2

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

I tried this tutorial but nothing worked. How to install this certificate step by step ?