add ssl certificate from letsencrypt

[hadifarnoud]

how can I activate letsencrypt.org certificate on modoboa?

would be great to add this into run.py

[tonioo]

For now, you can only specify custom SSL certificates within the configuration file:

[general]
tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

[inkrement]

How to proceed if it's intended to add certificates after installation? Is there an (easy) way without the need to dig into postfix or dovecot configs?

[tonioo]

Modify the default values inside installer.cfg and then copy certificate files at the proper location.

[inkrement]

The installer.cfg is part of the installer, right? But I have already installed it (and I removed the installation folder). How can I change these settings afterwards?

[tonioo]

Then you need to modify each configuration file (postfix, dovecot, etc.).

[dhaupin]

This is the first result for "modoboa letsencrypt". Really, all this needs to work is a pub .well-known folder somewhere to run and update later (via cron or something). Just tried LE and it wanted to work but I gotta pack for camping and dont have much time to probe modoboa this eve beyond brief tries.

[dhaupin]

Ok, I got a min, here is how you do a LE cert:

1. Create a .well-known folder:
   # mkdir /srv/modoboa/instance/sitestatic/.well-known

2. Edit the port 80 server block to use this:

server {
    listen 80;
    server_name mail.example.com;

    location / {
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    location /.well-known/ {
        alias /srv/modoboa/instance/sitestatic/.well-known/;
    }
}

3. Restart nginx then run the LE certonly:

# nginx -t
# service nginx restart
# letsencrypt certonly --webroot -w /srv/modoboa/instance/sitestatic/ -d mail.example.com

4. Edit the port 443 server block to use new certs:

...
ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem;
...

5. Restart nginx, check the URL. Apply cert to any other services you need such as dovecot. (SNI is possible, but manual and beyond this scope.) Edit /etc/dovecot/conf.d/10-ssl.conf and change the cert + key:

...
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
...

Then edit /etc/postfix/main.cf and change the cert + key:

...
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
...

6. Make a cron to auto-renew (# crontab -e), in this case at 5:43 am daily. You should pick a random time that is not on the hour and def not at midnight (to prevent DDOS'ing LE):
   43 5 * * * /usr/bin/letsencrypt renew 2>&1 | /usr/bin/logger -t letsencrypt

7. Profit.

[hadifarnoud]

please send a Pull Request for this feature. would love to try it

[dhaupin]

@hadifarnoud Would like to man, not much time lately though. I would have to further explore the installer itself, figure out how to check for a fail state if LE can't generate a cert or times out, and also support SNI based on added domain(s). Maybe it can be a "standalone" plugin or something instead of at install, dunno. Added a few steps for Dovecot/Postfix above.

[tonioo]

@dhaupin Thanks you for the feedback. I close this issue since it's a duplicate of #50 .

[dbryar]

since this is the highest ranked page on LE certificate errors on Google, I'll just point out that while @dhaupin instructions are all correct, if you are using LE, you may need to reboot the server/restart the services after the new certificate is loaded each 90 day period.

I was finding it very hard to determine why the mail server (postfix) was still issuing an expired certificate despite the webmail (nginx) certificate being valid, and both pointing to the same file.

Something to note on very stable servers!

[blu-IT]

2. Edit the port 80 server block to use this:

server {
    listen 80;
    server_name mail.example.com;

    location / {
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    location /.well-known/ {
        alias /srv/modoboa/instance/sitestatic/.well-known/;
    }
}

Thanks a lot! Worked perfect for me, after that I had already rolled out the server with a self-signed certificate accidently!
Had only to add these lines also to the already existing config for port 443: Then I could start LE certification process.
Working on Ubuntu 18.04 LTS

location /.well-known/ {
         alias /srv/modoboa/instance/sitestatic/.well-known/;
     }

[QThans]

5. /etc/dovecot/conf.d/10-ssl.conf

After updating, a restart is required.