Let's Encrypt Setup After SlackerMail-FreeBSD Script Install

If you installed SlackerMail-FreeBSD from the SlackerMail-FreeBSD.sh script, and you want to switch from
self signed certs to Let's Encrypt certs, below are the instructions.

  1. First we'll need to install and configure "acme.sh", so we can aquire and update our SSL Certificates.

    Install acme.sh: 
    pkg install acme.sh
    Configure the email address you want associated with your Let's Encrypt account: 
    acme.sh --register-account -m admin@example.org
    Configure what SSL server you want to use. For some strange reason acme.sh defaults to ZeroSSL, but like most people, I'm using Let's Encrypt: 
    acme.sh --set-default-ca --server letsencrypt

  2. Acquire the Let's Encrypt certificates:

    For Apache web server run the command below and adjust for your domain: 
    acme.sh --issue -d mail.example.org -d www.example.org -d example.org --keylength ec-384 -w /usr/local/www/apache24/data
    For Nginx web server run the command below and adjust for your domain: 
    acme.sh --issue -d mail.example.org -d www.example.org -d example.org --keylength ec-384 -w /usr/local/www/nginx

  3. Setup your web server to use the Let's Encrypt certs:

    For Apache web server edit /usr/local/etc/apache24/extra/httpd-ssl.conf like below: 
    Comment out the self signed cert and key:
Adjust for your domain.

#SSLCertificateFile "/etc/ssl/example.org/example.org.crt"
#SSLCertificateKeyFile "/etc/ssl/example.org/example.org.key"

Add the Let's Encrypt cert and key:
Adjust for your domain.

SSLCertificateFile "/root/.acme.sh/mail.example.org_ecc/fullchain.cer"
SSLCertificateKeyFile "/root/.acme.sh/mail.example.org_ecc/mail.example.org.key"
    For Nginx web server edit /usr/local/etc/nginx/conf.d/mailserver.conf like below: 
    Uncomment and change to match your domain:

#ssl_certificate /root/.acme.sh/mail.example.org_ecc/fullchain.cer;
#ssl_certificate_key /root/.acme.sh/mail.example.org_ecc/mail.example.org.key;

  4. Restart Web Server:

    For Apache: 
    service apache24 restart
    For Nginx: 
    service nginx restart
    Your web server should be using the Let's Encrypt certs now.

  5. Setup Let's Encrypt certs for Postfix, Dovecot, and Webmin:

    Postfix:
    Edit /usr/local/etc/postfix/main.cf 
    Commit out the self signed certs:
#smtpd_tls_key_file = /etc/ssl/the-slacker.org/the-slacker.org.key
#smtpd_tls_cert_file = /etc/ssl/the-slacker.org/the-slacker.org.crt

Add the Let's Encrypt certs:
smtpd_tls_key_file = /root/.acme.sh/mail.example.org_ecc/mail.example.org.key
smtpd_tls_cert_file = /root/.acme.sh/mail.example.org_ecc/fullchain.cer
    Restart Postfix: 
    service postfix restart
    Dovecot:
    Edit /usr/local/etc/dovecot/conf.d/10-ssl.conf 
    Commit out the self signed certs:
#ssl_cert = </etc/ssl/the-slacker.org/the-slacker.org.crt
#ssl_key = </etc/ssl/the-slacker.org/the-slacker.org.key

Add the Let's Encrypt certs:
ssl_cert = </root/.acme.sh/mail.example.org_ecc/fullchain.cer
ssl_key = </root/.acme.sh/mail.example.org_ecc/mail.example.org.key
    Restart Dovecot: 
    service dovecot restart
    Webmin:
    Edit /usr/local/etc/webmin/miniserv.conf 
    Commit out the self signed certs:
#keyfile=/usr/local/etc/webmin/miniserv.pem

Add the Let's Encrypt certs:
keyfile=/root/.acme.sh/mail.example.org_ecc/mail.example.org.key
certfile=/root/.acme.sh/mail.example.org_ecc/fullchain.cer
    Restart Webmin: 
    service webmin restart

  6. Setup auto renewing of the Let's Encrypt certs:

    We'll need to create a /var/log/acme.renew.log 
    touch /var/log/acme.renew.log
    Then create a weekly periodic script to check if certs need renewing.
    In this script, if the certs are renewed, then all the services using them will be restarted.
    Just copy the entire block below and paste and run it in PuTTY, and change the domains to match yours. 
    echo '#!/bin/sh

/usr/local/sbin/acme.sh --renew -d mail.example.org -d www.example.org -d example.org > /var/log/acme.renew.log

grep -q 'Skipping' /var/log/acme.renew.log
if [ $? -eq 1 ]; then
service apache24 restart >/dev/null 2>&1
service nginx restart >/dev/null 2>&1
service webmin restart >/dev/null 2>&1
service dovecot restart >/dev/null 2>&1
service postfix restart >/dev/null 2>&1
fi' > /usr/local/etc/periodic/weekly/000.acme-cert-renew
    Then make the renew script executable: 
    chmod 0755 /usr/local/etc/periodic/weekly/000.acme-cert-renew
    You can test the weekly periodic Let's Encrypt renew script by running the following: 
    periodic weekly
cat /var/log/acme.renew.log
    That should do it for Let's Encrypt for now.






Powered by: Slackware64-15.0 Slackware Lunux Apache v2.4.66 Apache SlackerMail v0.60.2 SlackerMail

Please send any feedback to: wjack@the-slacker.com