1

Topic: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Here's what I did, if anybody out there is looking for help. I borrowed from a couple guides across the net and this is how I got it all to work:

sudo apt-get install letsencrypt

# since using --standalone, stop nginx / apache2 first.
# also A-record(s) need to be pointing from your nameservers to your web/mail server(s) IP address(es).

# I will make certificate for example.com, www.example.com, and mail.example.com (change as needed)

letsencrypt certonly --standalone -d example.com -d www.example.com -d bounce.example.com

# enter in your email address

#####################
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your
   cert will expire on 2017-06-19. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
######################

# find where postfix and dovecot self-signed certs are,
# mv them .bak
# ln -s symlinks to new letsencrypt file
# reload?/restart the services

# where is postfix certs?
postconf smtpd_tls_cert_file smtpd_tls_key_file
# smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
# smtpd_tls_key_file = /etc/ssl/private/iRedMail.key

# where is dovecot certs?
doveconf ssl_key ssl_cert
# ssl_key = </etc/ssl/private/iRedMail.key
# ssl_cert = </etc/ssl/certs/iRedMail.crt

# save old self-signed iRedMail certs for a rainy day
mv /etc/ssl/certs/iRedMail.crt /etc/ssl/certs/iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key /etc/ssl/private/iRedMail.key.bak

# make symlink so that server will use letsencrypt certs (change example.com)
ln -s /etc/letsencrypt/live/example.com/privkey.pem /etc/ssl/private/iRedMail.key
ln -s /etc/letsencrypt/live/example.com/fullchain.pem /etc/ssl/certs/iRedMail.crt

service postfix reload
service dovecot reload

#####
# note #
# symlink seems to have done the trick for nginx, too.
#####

#turn nginx back on
service nginx start

# more info
# https://certbot.eff.org/#ubuntuxenial-nginx


# how to renew:
# test
service stop nginx
letsencrypt renew --dry-run --agree-tos
service start nginx

# how to really renew
# it suggests making a script to run renew twice a day https://certbot.eff.org/docs/using.html#renewal
service stop nginx
letsencrypt renew
service start nginx

# that's it.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Realized later that letsencrypt is the older version.
updated easily, following this http://dev-notes.eu/2016/09/upgrading-l … o-certbot/

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /opt
cd /opt

sudo ./certbot-auto renew --dry-run
sudo ./certbot-auto renew

that does the trick. I'm afraid to try simply running ./certbot-auto , as the auto script I am afraid could maybe misconfigure some things. But maybe not.

3

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Thanks for sharing!

4

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

I just installed my certs according to the first post and something weird is happening:

When using symbolic links to the certificate files I get this in syslog:

Jun  5 16:52:51 iredmail slapd[475]: @(#) $OpenLDAP: slapd  (May 30 2017 07:55:01) $#012#011buildd@binet:/build/openldap-_xApQ_/openldap-2.4.40+dfsg/debian/build/servers/slapd
Jun  5 16:52:52 iredmail slapd[446]: Starting OpenLDAP: slapd failed!
Jun  5 16:52:52 iredmail systemd[1]: slapd.service: control process exited, code=exited status=1
Jun  5 16:52:52 iredmail systemd[1]: Unit slapd.service entered failed state.

If i remove the symbolic links and copy the files instead, everything seems to work fine...

Any tips?

5

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Maybe file permission issue?

6

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

ZhangHuangbin wrote:

Maybe file permission issue?

No, it's not, I double checked...

7

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Stop openldap service first, then try this command:

strace /usr/sbin/slapd -u ldap -g ldap -f /etc/ldap/slapd.conf

It will trace the files read by OpenLDAP, i think it will print some useful info for debugging.

8

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

I'd like to install LE on my iRedMail server - I'm loathe to do anything which will damage/undo a working system.  I'm running Apache versus Nginx.

I have mail.myserver.com as the mail server which runs mail for 6 domains (all log in via https://mail.myserver.com/SOGo or in Outlook using mail.myserver.com as in/out mail servers.

So, a) what do I need to change in the first post to make the installation work for me?
      b) what files should I backup first in case something goes wrong?
       c) I'm assuming I only need to run LE for www.myserver.com and mail.myserver.com?

Thanks all.


Andrew

9

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Hi AndyInNYC:

please read our tutorial here:
http://www.iredmail.org/docs/use.a.boug … icate.html

10

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

I read the tutorial, and it still left me a little confused.

Here's my plan:

Following the Let's Encrypt guide for 'Other Ubuntu 16.04' (which hopefully will not mess with any iRedMail config files), I have :  https://certbot.eff.org/#ubuntuxenial-other

This has me apt-get the following:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

[Seems clear]

My machine's name/incoming/outgoing mail server is mail.lifeassetsllc.com.  I host email for lifeassetsllc.com, server1.com, server2.com and server3.com.  I may have a WordPress site for my wife on server3.com (i can point the DNS records to this machine).

The Let's Encrypt link says to use the command:
sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

[Question 1]:  Do I use *all* of my domains on this line as if I were going to host all my websites here (which I may)?  Any downside to this?
[Question 2]:  for lifeassetsllc.com do I also use a -d mail.lifeassetsllc.com?
[Question 3]:   Where does this command dump the new files since I need to copy/link in the iRedMail tutorial?  What should they be named if I have to go look for them?

Now, I need to edit the config files per the iRedMail tutorial for Postfix, Dovecot, Apache and MySQL.  The tutorial seems clear on this.
[Question 4]:   To prevent disaster, do i need only back up the files which I will edit per the tutorial?


Post these edits, I either restart all the services or just reboot the server.

Assuming I understand the answers as they come in to Questions 1-4, is there anything I'm missing in my steps above?

Thanks so much


Andrew

11

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

AndyInNYC wrote:

[Question 1]:  Do I use *all* of my domains on this line as if I were going to host all my websites here (which I may)?  Any downside to this?

Yes you must list all domain names (AND their web document root directory) on command line.

AndyInNYC wrote:

[Question 2]:  for lifeassetsllc.com do I also use a -d mail.lifeassetsllc.com?

I suppose you need to use 'mail.lifeassetsllc.com' as mail server address in MUA, if yes, then YES you need to add mail.lifeassetsllc.com.

AndyInNYC wrote:

[Question 3]:   Where does this command dump the new files since I need to copy/link in the iRedMail tutorial?  What should they be named if I have to go look for them?

/etc/letsencrypt

AndyInNYC wrote:

[Question 4]:   To prevent disaster, do i need only back up the files which I will edit per the tutorial?

As a sysadmin, backup always saves your life. big_smile

12

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Ah, so close but so far

So I used the command:

sudo certbot certonly --webroot -w /var/www/lifeassetsllc -d lifeassetsllc.com -d www.lifeassetsllc.com -d www.lifeasetsllc.com -d mail.lifeassetsllc.com

and got back a string of errors:

root@mail:/# sudo certbot certonly --webroot -w /var/www/lifeassetsllc -d lifeassetsllc.com -d [url=http://www.lifeassetsllc.com]www.lifeassetsllc.com[/url] -d [url=http://www.lifeasetsllc.com]www.lifeasetsllc.com[/url] -d mail.lifeassetsllc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lifeassetsllc.com
http-01 challenge for [url=http://www.lifeassetsllc.com]www.lifeassetsllc.com[/url]
http-01 challenge for [url=http://www.lifeasetsllc.com]www.lifeasetsllc.com[/url]
http-01 challenge for mail.lifeassetsllc.com
Using the webroot path /var/www/lifeassetsllc for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. [url=http://www.lifeassetsllc.com]www.lifeassetsllc.com[/url] (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [url]http://www.lifeassetsllc.com/.well-known/acme-challenge/zy_hc1QOh33Kiiz6gtI1ERuFxkufly0mBmxidqA5Nqg:[/url] "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p", lifeassetsllc.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [url]http://lifeassetsllc.com/.well-known/acme-challenge/rPmwYEuYgeljSKOCyEgIB5ebK_W1K2qA8-3iFVepj00:[/url] "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p", [url=http://www.lifeasetsllc.com]www.lifeasetsllc.com[/url] (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for [url=http://www.lifeasetsllc.com]www.lifeasetsllc.com[/url], mail.lifeassetsllc.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [url]http://mail.lifeassetsllc.com/.well-known/acme-challenge/xPvkYSQpejAvtZf9d8k3CoORxFy7MChPjpbpzLZCw5o:[/url] "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: [url=http://www.lifeasetsllc.com]www.lifeasetsllc.com[/url]
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for [url=http://www.lifeasetsllc.com]www.lifeasetsllc.com[/url]

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: [url=http://www.lifeassetsllc.com]www.lifeassetsllc.com[/url]
   Type:   unauthorized
   Detail: Invalid response from
   [url]http://www.lifeassetsllc.com/.well-known/acme-challenge/zy_hc1QOh33Kiiz6gtI1ERuFxkufly0mBmxidqA5Nqg:[/url]
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   Domain: lifeassetsllc.com
   Type:   unauthorized
   Detail: Invalid response from
   [url]http://lifeassetsllc.com/.well-known/acme-challenge/rPmwYEuYgeljSKOCyEgIB5ebK_W1K2qA8-3iFVepj00:[/url]
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   Domain: mail.lifeassetsllc.com
   Type:   unauthorized
   Detail: Invalid response from
   [url]http://mail.lifeassetsllc.com/.well-known/acme-challenge/xPvkYSQpejAvtZf9d8k3CoORxFy7MChPjpbpzLZCw5o:[/url]
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
root@mail:/#

The url stuff was inserted by the forum system, not me.  Thoughts on what I have wrong?

I created a directory named /var/www/lifeassetsllc

Andrew

13

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

*) I suggest trying with '--dry-run' option, so that you won't reach the max try limit set by letsencrypt server.
*) You specified 4 domain names, do they all use "/var/www/lifeassetsllc" as web document root? If not, you must specified web document root for each domain.

14

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

ZhangHuangbin wrote:

*) I suggest trying with '--dry-run' option, so that you won't reach the max try limit set by letsencrypt server.
*) You specified 4 domain names, do they all use "/var/www/lifeassetsllc" as web document root? If not, you must specified web document root for each domain.

The machine presently only serves mail and uses the SOGo and RoundCube web interfaces - it's completely stock.  I don't care if the let's encrypt certificate only works for the email (but for all of the hosted domains if that matters).

I'm missing something - should I just use - d lifeassetsllc.com and -d mail.lifeassetsllc.com?

Andrew

15

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

You specified 4 domain names, do they all use "/var/www/lifeassetsllc" as web document root?
If not, you must specified web document root (-w) for each domain.

16

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Again, there isn't a 'website' set up for any of the domains.  I'm using the default Apache setup to access SOGo and Roundcube via https://mail.lifeassetsllc.com/SOGo.  That's likely the only way I'm accessing the system for now and for a long time (I'll worry about putting other websites there with certificates another time).

How, using that base assumption, do I get the Let's Encrypt certificate to work and install properly with iRedMail given the errors I'm seeing?

Andrew

17

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

After using --dry-run, I ran the command
letsencrypt certonly --standalone -d lifeassetsllc.com -d mail.lifeassetsllc.com
the command ran successfully, but it only generated
cert.pem  chain.pem  fullchain.pem  privkey.pem

These don't seem to be sufficient in name and quantity to follow the directions in the tutorial (am I supposed to run the openssl command also?).

Help?

Andrew

18

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

AndyInNYC wrote:

These don't seem to be sufficient in name and quantity to follow the directions in the tutorial (am I supposed to run the openssl command also?).

Those 4 files are enough. Follow our tutorial to use them:
http://www.iredmail.org/docs/use.a.boug … icate.html

19

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

the tutorial doesn't mention these files.  Again, letsencrypt only generated the following:
cert.pem
chain.pem
fullchain.pem
privkey.pem

These files aren't mentioned.  I need server.cert, server.key, etc.

Can you repoint me to where any document mentions these 4 files and how to use them to set up SSL?

Thanks.


Andrew

20

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

Any thoughts on this?

AndyInNYC wrote:

the tutorial doesn't mention these files.  Again, letsencrypt only generated the following:
cert.pem
chain.pem
fullchain.pem
privkey.pem

These files aren't mentioned.  I need server.cert, server.key, etc.

Can you repoint me to where any document mentions these 4 files and how to use them to set up SSL?

Thanks.


Andrew

21

Re: easy let's encrypt guide for ubuntu 16.04 iredmail server with nginx

cert.pem -> server.crt
privkey.pem -> server.key