1

Topic: Request a free cert from Let's Encrypt

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
yes
- Linux/BSD distribution name and version: ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Request a free cert from Let's Encrypt:

root@mail:~# certbot certonly --webroot --dry-run -w /opt/www/well_known -d mail.asklepiy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ruslan.griban@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA … -2017.pdf. You must
agree in order to register with the ACME server at
https://acme-staging-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: y
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.asklepiy.com
Using the webroot path /opt/www/well_known for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running post-hook command: service postfix restart; service nginx restart; service dovecot restart
Error output from service:
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

Failed authorization procedure. mail.asklepiy.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.asklepiy.com/.well-known/ac … BTP1H2MRk: Connection refused

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: mail.asklepiy.com
   Type:   connection
   Detail: Fetching
   http://mail.asklepiy.com/.well-known/ac … BTP1H2MRk:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
root@mail:~#

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by JohnDeNoma 2020-01-16 16:32:39)

Re: Request a free cert from Let's Encrypt

out of curiousity, did you change your http directory for Nginx?  I had that problem too when I tried to change my directory.

Mine is located at /var/www/html not in the opt directory for a base install, and check to make sure Nginx is actually running.  I had my Nginx crash and I didn't realize it (because I dont use webmail all that often) I just noticed when I tried to access the admin panel

things I would try:

1. Verify that port 80 is being forwarded to your machine
2.  Verify that Nginx is running (sudo systemctl status Nginx)
3.  verify your root address.  try using ../www/html/ which is the base that Nginx is set up to use

3

Re: Request a free cert from Let's Encrypt

asklepiy wrote:

- Deployed with iRedMail Easy or the downloadable installer?
yes

This isn't a very good answer to the question, and it could directly impact the problem that you're having.

4

Re: Request a free cert from Let's Encrypt

- enable 80 & 443 on nftables or iptables
- if the server does not have a global address and you use port forwarding, then you need to redirect 80 and 443
-


STEP'S

apt install certbot python-certbot-nginx
certbot certonly --webroot --dry-run -w /var/www/html -d mail.example.com
certbot certonly --webroot -w /var/www/html -d mail.example.com
chmod 0644 /etc/letsencrypt/{live,archive}
mv /etc/ssl/certs/iRedMail.crt{,.bak}
mv /etc/ssl/private/iRedMail.key{,.bak}
ln -s /etc/letsencrypt/live/mail.example.com/fullchain.pem /etc/ssl/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/ssl/private/iRedMail.key
certbot certificates
service nginx restart
service postfix restart
service dovecot restart
service sogo restart


https://docs.iredmail.org/letsencrypt.html

5

Re: Request a free cert from Let's Encrypt

If you use IPV6 you have to activate it in nginx:

 # Listen on ipv6.
        listen [::]:80;

and

 # Listen on ipv6.
        listen [::]:443;