** Chris Dennis via Hampshire <hampshire@mailman.lug.org.uk> [2017-02-13 12:39]: > On 07/02/17 11:20, Paul Tansom via Hampshire wrote: > >... I recently added my pop/imap mail server certificates to the process as > >well (I'd forgotten they were still with StartSSL) and that was much easier > >than expected - took about 10 minutes including working out how to do it :) > Can you point me to information about that? I need to create IMAP/SSL > certificates for a domain where the website is on a hosting service that > doesn't seem to allow the use of LetsEncrypt (they want to provide the HTTPS > certificates in exchange for money(!)), and I can't work out how to get > LetsEncrypt certificates just for email. ** end quote [Chris Dennis via Hampshire]
Sorry, I marked this for a reply when I spotted but didn't have time to dig out my notes and completely failed to come back to it - I've only just spotted it again! The basic principle is to use a web server on the host to validate the certificate when you obtain it, but not actually install it with the script. If you aren't running a web server on the same box as the mail server then you can spin up a temporary one with the script, but I am so I haven't tried that option (I think it is the --standalone switch). The incantation I used was: sudo /opt/certbot/certbot-auto certonly --dry-run -w /var/www/domain/webroot/ -d mail.example.com well, actually it wasn't quite, that one has the --dry-run to to through the motions but not do anything, just remove when you have everything sorted :) I don't have the tool installed from a package, it was originally installed before the rename and I've not checked back to see if there is a PPA yet (I'll probably do that when I do my upgrade which is due any day now - ish!). A quick breakdown (for anyone not familiar) is: certbot-auto - the command (complete with path in my case) certonly - just obtain the certificate, don't try to install it (at the moment there only look to be options to install for apache and nginx, I prefer to do the editing myself --dry-run - just puts it into test mode -w - gives the path to the root directory of the domain required for the certificate, the script puts files in here to check for remotely -d - gives the certificate domian (and you can use multiple -d .. for mulitple domains in a single certificate) There's a selection of options to play with, but those are the ones I used. I then had to manually install them into my Dovecot config, but that was just a case of changing the existing lines. The certificates are installed in directories under /etc/letsencrypt, so in the /etc/dovecot/conf.d/ssl.conf file (for example) you have something like: ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem adjust accordingly for your domain. Hope that helps, if you haven't already sorted it by now! -- Paul Tansom | Aptanet Ltd. | https://www.aptanet.com/ | 023 9238 0001 Vice Chair, FSB Portsmouth & SE Hampshire Branch | http://www.fsb.org.uk/ ============================================================================= Registered in England | Company No: 4905028 | Registered Office: Ralls House, Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
