1 Topic by tomwho (edited by tomwho 2017-10-01 07:32:34)

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Topic: Setting up Let's Encrypt with iRedMail and Apache — How?

The iRedMail documentation says this about using Let's Encrypt for SSL:

The --apache option of certbot program will modify Apache config files, most time it messes up iRedMail configurations, so it's better to get the cert with certonly --webroot option while requesting cert, then follow tutorial below to update config files to use the cert.

In the Certbot documentation about using the --webroot option it says this:

If you’re running a local webserver for which you have the ability to modify the content being served, and you’d prefer not to stop the webserver during the certificate issuance process, you can use the webroot plugin to obtain a certificate by including certonly and --webroot on the command line. In addition, you’ll need to specify --webroot-path or -w with the top-level directory (“web root”) containing the files served by your webserver. For example, --webroot-path /var/www/html or --webroot-path /usr/share/nginx/html are two common webroot paths.

So if I am only using iRedMail on my server with Apache and MySQL, which domain do I get an SSL certificate for, do I get the certificate for the server hostname or each email domain I set up in iRedMail? Also, as I'm not using the SSL on an actual website, what is the "web root" directory containing the files served by iRedMail? Or does that part not matter in the case of iRedMail?

And if I have a subdomain like mx.mydomain.com set up for people to use in their email readers, do I need an SSL for that subdomain, too, or just the server hostname?

I'm just a bit confused and was hoping someone had clear, step-by-step instructions on how to use Let's Encrypt with iRedMail and Apache/MySQL.

Thanks!

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 MARIADB edition
- Linux/BSD distribution name and version: CentOS 7.4.1708
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by heeter (edited by heeter 2017-10-02 23:26:15)

  • heeter
  • Member
  • Offline
  • Registered: 2016-11-22
  • Posts: 65

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Hi

Just to let you know that I personally didn't have any issues of installing 3 LE certs on top of a current production IredMail server, just followed the regular LE instructions. I did just the usual 3 main domain/subdomains that I used:

domain.com
www.domain.com
mail.domain.com

I guess that in your case you would add an "mx.domain.com" to the list.

Regards

3 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

heeter wrote:

Just to let you know that I personally didn't have any issues of installing 3 LE certs on top of a current production IredMail server, just followed the regular LE instructions.

Did you do the Apache install of LE, or the Webroot install that iRedMail recommends?

4 Reply by Jochie

  • Jochie
  • Jochie
  • Member
  • Offline
  • Registered: 2010-09-23
  • Posts: 100

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

tomwho wrote:
heeter wrote:

Just to let you know that I personally didn't have any issues of installing 3 LE certs on top of a current production IredMail server, just followed the regular LE instructions.

Did you do the Apache install of LE, or the Webroot install that iRedMail recommends?

So far i personally think the --standalone version of LE works best.

E.G. :
letsencrypt certonly --standalone -d domain.com -d sub.domain.com -d mx.domain.com

mv /etc/ssl/certs/iRedMail.crt /etc/ssl/certs/iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key /etc/ssl/private/iRedMail.key.bak
ln -s /etc/letsencrypt/live/domain.com/privkey.pem /etc/ssl/private/iRedMail.key
ln -s /etc/letsencrypt/live/domain.com/fullchain.pem /etc/ssl/certs/iRedMail.crt

Hopefully this helps you.

5 Reply by heeter

  • heeter
  • Member
  • Offline
  • Registered: 2016-11-22
  • Posts: 65

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

tomwho wrote:
heeter wrote:

Just to let you know that I personally didn't have any issues of installing 3 LE certs on top of a current production IredMail server, just followed the regular LE instructions.

Did you do the Apache install of LE, or the Webroot install that iRedMail recommends?

Just the Standalone LE like Jochie mentioned

6 Reply by AndyInNYC

  • AndyInNYC
  • Member
  • Offline
  • Registered: 2017-08-18
  • Posts: 141

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Jochie,

That's it?  That's all I need to do to get it working?  Have I been over-analyzing this and fretting for no reason?

Andrew

7 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Jochie wrote:

So far i personally think the --standalone version of LE works best.

How did you come up with those steps? I can't find anything like that on the CertBot site (https://certbot.eff.org/docs/using.html#standalone) or the iRedMail site (http://www.iredmail.org/docs/use.a.boug … icate.html).

If I use the standalone setup, do I follow these instructions from the iRedMail docs?

http://www.iredmail.org/docs/use.a.boug … ertificate

I'm really confused now.

8 Reply by tomwho (edited by tomwho 2017-10-05 11:12:18)

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

So I tried the certbot command that iRedMail docs recommend: 

certbot certonly --webroot -d example.com

Part way through the process, I am asked this....

Select the webroot for example.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):

FYI, I did replace "example.com" with my actual domain when I ran this.

What is the webroot for iRedMail? Once I enter that, then what? Do I just follow the instructions here...?

http://www.iredmail.org/docs/use.a.boug … ertificate

Also, has anyone used Acme PHP to set this up? https://acmephp.github.io

Confused!

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

tomwho wrote:

What is the webroot for iRedMail?

On CentOS, it's /var/www/html by default. You should run:

certbot certonly --webroot -d example.com -w /var/www/html

Before you run the command, try to access your domain name with a web browser to make sure it correctly displays web files under /var/www/html.

10 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

ZhangHuangbin wrote:

On CentOS, it's /var/www/html by default. You should run:

certbot certonly --webroot -d example.com -w /var/www/html

Before you run the command, try to access your domain name with a web browser to make sure it correctly displays web files under /var/www/html.

Thank you! Is that all I need to do, or do I then need to follow all the instructions on this page under the heading Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate?

http://www.iredmail.org/docs/use.a.boug … ertificate

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

tomwho wrote:

do I then need to follow all the instructions on this page under the heading Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate?

http://www.iredmail.org/docs/use.a.boug … ertificate

Yes.

12 Reply by Jochie

  • Jochie
  • Jochie
  • Member
  • Offline
  • Registered: 2010-09-23
  • Posts: 100

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

tomwho wrote:

Thank you! Is that all I need to do, or do I then need to follow all the instructions on this page under the heading Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate?

http://www.iredmail.org/docs/use.a.boug … ertificate

question is ... did you buy a ssl certificate, or not? If not, letsencrypt is sufficient.
If you bought one, you should follow ZhangHuangbin's  ;-)

13 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Jochie wrote:

question is ... did you buy a ssl certificate, or not? If not, letsencrypt is sufficient.
If you bought one, you should follow ZhangHuangbin's  ;-)

No, I'm using Let's Encrypt and Certbot.

What is sufficient? I think you just contradicted what ZhangHuangbin suggested above, so which answer is correct?

This is why it would be really nice if someone at iRedMail posted more detailed instructions on how to set up Let's Encrypt SSL certificates with their application, because it's not at all clear.

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

You still need to follow our tutorial (section "Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate") to configure them to use the letsencrypt cert.

15 Reply by selea

  • selea
  • selea
  • Member
  • Offline
  • Registered: 2017-06-02
  • Posts: 111

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

I just did:
certbot --apache
And it will set up the apache virtualhost for you.

You can then configure postfix to use that certificate:
https://www.upcloud.com/support/secure- … s-encrypt/

And also dovecot:
https://community.letsencrypt.org/t/sim … vecot/2921

That is how I did before I started using a real certificate from a real CA.

16 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Better use 'certbot certonly --webroot'

17 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Hi, stuck again! I've got the certificates made using Certbot, but the instructions on this page are confusing:

http://www.iredmail.org/docs/use.a.boug … ertificate

For example, on the above page it says to configure Postfix I issues these commands:

postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/server.crt'
postconf -e smtpd_tls_key_file='/etc/pki/tls/private/server.key'
postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'

But these are the files Certbot creates for each domain: cert.pem, chain.pem, fullchain.pem, privkey.pem.

I have no idea which of these files should be used for the above three Postfix settings. The same is true for the Dovecot settings as outlined on that help page:

ssl = required
ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/private/server.key
ssl_ca = </etc/pki/tls/certs/server.ca-bundle

Which LE files should I be using for server.crt, server.key and server.ca-bundle?

18 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

I updated the document to use same file names as LetsEncrypt: cert.pem, privkey.pem, fullchain.pem.
http://www.iredmail.org/docs/use.a.boug … icate.html

19 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

ZhangHuangbin wrote:

I updated the document to use same file names as LetsEncrypt: cert.pem, privkey.pem, fullchain.pem.

Thank you so much, a lot easier to follow now!

20 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Another quick question: Let's say the hostname for my mail server is mailserver.com, and I also have a subdomain called mx.mailserver.com that will be used for MX records in client domain records.

Do I set up Postfix and Dovecot with an SSL certificate for mailserver.com or mx.mailserver.com?

For Roundcube, I presume I would use the server hostname SSL as that's the domain I'll be using to access the webmail client.

21 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

*) When you configure MUA, you type server name "abc.com", then this "abc.com" must be included in SSL cert.
*) When you visit a web site, you type url "https://xyz.com", or "https://sub.xyz.com", this "xyz.com" or "sub.xyz.com" must be included in ssl cert.

22 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Okay, I've hit another wall. I got the SSL certificates set up using Cerbot, and then followed the instructions for setting up SSL with iRedMail and related apps as outlined on this page:

http://www.iredmail.org/docs/use.a.boug … ertificate

The restart of Postfix appeared to go fine at first, but after I made the other changes and then restarted Postfix, it's now failing. The server is reporting the following problem:

[root@mymailserver ~]# journalctl -xe
-- Subject: Unit postfix.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li … temd-devel
--
-- Unit postfix.service has begun starting up.
Oct 16 13:25:12 mymailserver.com postfix/postfix-script[9149]: starting the Postfix mail system
Oct 16 13:25:12 mymailserver.com postfix/master[9151]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable
Oct 16 13:25:13 mymailserver.com postfix/master[9150]: fatal: daemon initialization failure
Oct 16 13:25:14 mymailserver.com postfix/postfix-script[9152]: fatal: mail system startup failed
Oct 16 13:25:14 mymailserver.com systemd[1]: postfix.service: control process exited, code=exited status=1
Oct 16 13:25:14 mymailserver.com systemd[1]: Failed to start Postfix Mail Transport Agent.
-- Subject: Unit postfix.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li … temd-devel
--
-- Unit postfix.service has failed.
--
-- The result is failed.
Oct 16 13:25:14 mymailserver.com systemd[1]: Unit postfix.service entered failed state.
Oct 16 13:25:14 mymailserver.com systemd[1]: postfix.service failed.
Oct 16 13:25:14 mymailserver.com polkitd[444]: Unregistered Authentication Agent for unix-process:9059:166983858 (system bus name :1.7088, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Oct 16 13:26:56 mymailserver.com dovecot[8419]: imap-login: Login: user=<postmaster@mymailserver.org>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9160, secured, session=<rbExUK1bUs9/AAAB>
Oct 16 13:26:56 mymailserver.com dovecot[8419]: imap(postmaster@mymailserver.org): Logged out in=566 out=3290
lines 2413-2435/2435 (END)

I updated Postfix, Dovecot and Apache using the instructions on the above page. Not sure which of these is causing this error, any ideas?

23 Reply by tomwho

  • tomwho
  • Member
  • Offline
  • Registered: 2017-09-28
  • Posts: 17

Re: Setting up Let's Encrypt with iRedMail and Apache — How?

Okay, weird. I just rebooted the server and Postfix starts just fine. ¯\_(ツ)_/¯