I’ve been getting notifications from StartSSL for a month saying that my SSL certificate is expiring. I decided to try out the new Let’s Encrypt free SSL. In this post I will be installing the certificate on a mail server.
To start off, you will need Git on your server
apt-get install git
Next up, we need the Let’s Encrypt git package
git clone https://github.com/Letsencrypt/letsencrypt
I made a small batch file to run every time I want to update the certificates
#!/bin/bash OPTIONS="certonly --renew-by-default --email firstname.lastname@example.org --agree-tos --text" ./letsencrypt-auto $OPTIONS -d metsanheimo.fi chgrp vmail /etc/letsencrypt/archive /etc/letsencrypt/live chmod g+rx /etc/letsencrypt/archive /etc/letsencrypt/live
Running this requires you to have a web server and a domain – and your router pointing to the computer you’re requesting the certificate for.
After running the script, your certificates should be created in ‘/etc/letsencrypt/live/domain.fi/’ and it will expire in three months. At that time, just come back and run the script again.
To get these certificates working on the mail server, we need to point the server to the new certificates at the configuration files. Open Postfix configuration and edit/add these lines. Replace the domain name with yours. After the changes, restart Postfix.
sudoedit /etc/postfix/main.cf smtpd_tls_cert_file=/etc/letsencrypt/live/metsanheimo.fi/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/metsanheimo.fi/privkey.pem sudo service postfix restart
Next up is Dovecot, open up the Dovecot SSL configuration file, and edit/add these lines. Replace the domain name with yours. After the changes, restart Dovecot.
sudoedit /etc/dovecot/conf.d/10-ssl.conf ssl_cert = </etc/letsencrypt/live/metsanheimo.fi/fullchain.pem ssl_key = </etc/letsencrypt/live/metsanheimo.fi/privkey.pem sudo service dovecot restart
Now try that your e-mail server still sends and receives messages.
You now have free working SSL certificates on your mail server! Congratulations! Just remember to refresh them every three months. Or just make a cron job for it.