Re: [Hampshire] HTTPS Certificate problem

Top Page

Reply to this message
Author: Paul Tansom
Date:  
To: hampshire
Subject: Re: [Hampshire] HTTPS Certificate problem
** Chris Dennis via Hampshire <hampshire@???> [2017-02-13 12:39]:
> On 07/02/17 11:20, Paul Tansom via Hampshire wrote:
> >... I recently added my pop/imap mail server certificates to the process as
> >well (I'd forgotten they were still with StartSSL) and that was much easier
> >than expected - took about 10 minutes including working out how to do it :)
> Can you point me to information about that? I need to create IMAP/SSL certificates for a domain where the website is on a hosting service that doesn't seem to allow the use of LetsEncrypt (they want to provide the HTTPS certificates in exchange for money(!)), and I can't work out how to get LetsEncrypt certificates just for email.

** end quote [Chris Dennis via Hampshire]

Sorry, I marked this for a reply when I spotted but didn't have time to dig out my notes and completely failed to come back to it - I've only just spotted it again!

The basic principle is to use a web server on the host to validate the certificate when you obtain it, but not actually install it with the script. If you aren't running a web server on the same box as the mail server then you can spin up a temporary one with the script, but I am so I haven't tried that option (I think it is the --standalone switch). The incantation I used was:

sudo /opt/certbot/certbot-auto certonly --dry-run -w /var/www/domain/webroot/ -d mail.example.com

well, actually it wasn't quite, that one has the --dry-run to to through the motions but not do anything, just remove when you have everything sorted :)

I don't have the tool installed from a package, it was originally installed before the rename and I've not checked back to see if there is a PPA yet (I'll probably do that when I do my upgrade which is due any day now - ish!). A quick breakdown (for anyone not familiar) is:

certbot-auto - the command (complete with path in my case)
certonly - just obtain the certificate, don't try to install it (at the moment there only look to be options to install for apache and nginx, I prefer to do the editing myself
--dry-run - just puts it into test mode
-w - gives the path to the root directory of the domain required for the certificate, the script puts files in here to check for remotely
-d - gives the certificate domian (and you can use multiple -d .. for mulitple domains in a single certificate)

There's a selection of options to play with, but those are the ones I used. I then had to manually install them into my Dovecot config, but that was just a case of changing the existing lines. The certificates are installed in directories under /etc/letsencrypt, so in the /etc/dovecot/conf.d/ssl.conf file (for example) you have something like:

ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

adjust accordingly for your domain.

Hope that helps, if you haven't already sorted it by now!

--
Paul Tansom | Aptanet Ltd. | https://www.aptanet.com/ | 023 9238 0001
Vice Chair, FSB Portsmouth & SE Hampshire Branch | http://www.fsb.org.uk/
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP

--
Please post to: Hampshire@???
Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL: http://www.hantslug.org.uk
--------------------------------------------------------------