1 Topic by Runberg

  • Runberg
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 25

Topic: Adding Letsencrypt certificate for second domain

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NginX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi all

I have just added a second domain to my iRedMail server, but I'm having problems with the certificate ...

I have updated the DNS for the new domain, and added it to /etc/amavis/conf.d/50-user file. I have verified that I can receive mails on the domain.

Now I have gotten new certificates from Lets Encrypt, but I can't figure how to install these - especially in regards to Nginx. I can't just add them to /etc/nginx/templates/ssl.tmpl - Hope someone can guide me.

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by pnjo23 (edited by pnjo23 2018-07-22 18:10:18)

  • pnjo23
  • Member
  • Offline
  • Registered: 2017-02-11
  • Posts: 46

Re: Adding Letsencrypt certificate for second domain

Not sure what you mean by "second domain" but here's how you'd secure Nginx with Let's Encrypt:

- Open and edit the SSL template file: sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines:
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:
ssl_certificate /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.your-domain.com/privkey.pem;

Save and close the file. Then test nginx configuration and reload:
sudo nginx -t
sudo systemctl reload nginx

You will also need to configure Postfix and Dovecot to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning.

Edit the main configuration file of Postfix:
sudo nano /etc/postfix/main.cf

Find the following 3 lines:
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:
smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.your-domain.com/chain.pem

Save and close the file. Then reload Postfix:
sudo postfix reload

Next, edit the main configuration file of Dovecot:
sudo nano /etc/dovecot/dovecot.conf

Find the following 2 lines:
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:
ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

Save and close the file. Then reload dovecot:
sudo dovecot reload

To auto renew certificate, simply open root user’s crontab file:
sudo crontab -e

Then add the following line at the bottom of the file:
@daily letsencrypt renew --quiet && /usr/sbin/postfix reload && /usr/sbin/dovecot reload && systemctl reload nginx

3 Reply by Runberg

  • Runberg
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 25

Re: Adding Letsencrypt certificate for second domain

pnjo23 wrote:

Not sure what you mean by "second domain" but here's how you'd secure Nginx with Let's Encrypt:

Hi pnjo23

Sorry if my description was lagging some info.

I have created my mailserver with domain1.com and added certificates according to the guide you have described. Everything is working perfectly.

Now I would like to add a second domain, let's call it domain2.com. In order for me to allow users to access both domain1.com/mail and domain2.com/mail I need to add SSL certificates for domain2.com in Nginx somewhere, but I can't seem to figure out how to do it sad

For Postfix and Dovecot I assume I do not need to add a new certificate, since I have added domain1.com as MX for domain2.com, and therefore only uses domain1.com for mails.

I'm aware I could just make a webforward or something from domain2.com to domain1.com, but I think the other way around is more correct.

I found this guide: https://www.linuxbabe.com/mail-server/u … stallation - See the last bit about "Using Separate Domain for RoundCube". It is this part I'm struggling with.

4 Reply by RikuS

  • RikuS
  • Member
  • Offline
  • Registered: 2016-06-10
  • Posts: 116

Re: Adding Letsencrypt certificate for second domain

The ideal setup would be to use single certificate for all traffic. So your mail server could be i.e. mail.runbergmail.com which handles mail for multiple domains and also webmail could be found in mail.runbergmail.com/mail.

This is by far the easiest and recommended way to handle multiple domains.

5 Reply by Jochen (edited by Jochen 2018-07-24 04:03:49)

  • Jochen
  • Member
  • Offline
  • Registered: 2014-03-31
  • Posts: 75

Re: Adding Letsencrypt certificate for second domain

Hi,

if I get you right, you already have successfully installed a lets encrypt certificate for domain1. In this case you can just use the certbot cli-tools to add further hosts to your existing certificate.

See -extend Flag: https://certbot.eff.org/docs/using.html … rtificates

To get to the certbot documentation for your system, use https://certbot.eff.org

You could even add more hosts to use for example as MX in domain2.com, the certificate is shared among nginx, postfix, dovecot e.a.. But if you want to automate issuing/renewal of certs, you need to make sure that the dns zone is up and running and the hosts used in the expand statement point to your iredmail host.
Especially adding hosts to use for MX might prove tricky as you might need to add extra config steps to make them available for the web based auth process.
I urge you to read the certbot manual so you can decide if you might want to use the dns-based authentication for your purpose.

Sorry, I do not have the exact working comand at hand, as I am not using this anymore. But I guess for this use case it is a good way to go!

-Jochen

6 Reply by Runberg

  • Runberg
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 25

Re: Adding Letsencrypt certificate for second domain

RikuS wrote:

The ideal setup would be to use single certificate for all traffic. So your mail server could be i.e. mail.runbergmail.com which handles mail for multiple domains and also webmail could be found in mail.runbergmail.com/mail.

This is by far the easiest and recommended way to handle multiple domains.

Yes! - That would be the easiest way, and this is basically also the way I handle the MX - But I would like for the webmail that users can access it from http://randomdomain1.com/mail and http://randomdomain2.com/mail.
But it is for sure a nice to have feature, and keeping it simple might be the best approach in the long run!

Jochen wrote:

if I get you right, you already have successfully installed a lets encrypt certificate for domain1. In this case you can just use the certbot cli-tools to add further hosts to your existing certificate.

See -extend Flag: https://certbot.eff.org/docs/using.html … rtificates

If it could work as simple as this, it would for sure be ideal. I will look more into this. Thanks!

7 Reply by Runberg

  • Runberg
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 25

Re: Adding Letsencrypt certificate for second domain

Runberg wrote:
Jochen wrote:

if I get you right, you already have successfully installed a lets encrypt certificate for domain1. In this case you can just use the certbot cli-tools to add further hosts to your existing certificate.

See -extend Flag: https://certbot.eff.org/docs/using.html … rtificates

If it could work as simple as this, it would for sure be ideal. I will look more into this. Thanks!

It was as simple as that smile

The original certificate I installed using this command:

sudo certbot certonly --webroot --agree-tos --email your-email-address -d mail.your-domain.com -w /var/www/html/

And just know I successfully extended the certificates with one more domain, without the need of any additional configuration in Nginx using this command:

sudo certbot certonly --webroot --agree-tos --email your-email-address —expand -d mail.your-domain.com,mail.your-second-domain.com -w /var/www/html/

With this, users having an email address user@your-domain.com can access their webmail on https://your-domain.com/mail and users with an email user@your-second-domain.com can access their webmail on https://your-second-domain.com/mail - All sites with validated certificates big_smile

8 Reply by rmmf

  • rmmf
  • Member
  • Offline
  • Registered: 2022-12-26
  • Posts: 5

Re: Adding Letsencrypt certificate for second domain

How do I add a third domain? I tried several ways here and I couldn't, even the second one works.
thanks.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Adding Letsencrypt certificate for second domain

You replied to a 4 years old thread, please create a new forum topic for your own question.