How to use Let's Encrypt certificate for Exim and Dovecot

I whish I could...

I have no own DA account. After I created one I noticed I have to buy new a licence to be able to do something with it. Currently I'm running 2 VPS's with DA running on it; these licenses are supplied by the company I rent the VPS's. So as far as I can see, no possibility to test RC versions.

Ah well, I'll have to wait for the official release then. Thanx for the tip anyway :)

Danny
 
Hello,

I have installed the latest pre-binairies and the issue is still there. The protocol HTTPS is still ok on Web, Ftp, etc. But in the mailserver (exim) there is still a mismatch.

Cert Hostname DOES NOT VERIFY (mail.domain.nl != servername.domain.com)

Am I missing some configuration on Exim side?
 
I have upgraded to 1.50.1 . Can you confirm where letsencrypt_post.sh should go? I'm thinking of using it to fix the permissions on the key and cert files after they are renewed, since I have symbolic links pointing to those.
 
Has anybody found a solution to this problem yet? I have been trying all sorts of different approaches suggested on this forum but I can't get the certificate to work for mail.mydomain.com. Letsencrypt is setup correctly and I have tried to install manually as well. Still certficate is not working for mail.

This has cause php fail to send mail as well.
 
Have you created the certificate for your hostname? If yes, you also have to add mail.yourdomain.tld to the list of domain for the hostname certificate, i did this way and it worked.

This file: /usr/local/directadmin/conf/ca.san_config

Regards
 
Have you created the certificate for your hostname? If yes, you also have to add mail.yourdomain.tld to the list of domain for the hostname certificate, i did this way and it worked.

This file: /usr/local/directadmin/conf/ca.san_config

Regards

Yes and yes. Letsencrypt script makes certs both for the domain and mail.domain.com with no problem. But the mail client still shows invalid (local) cert for mail.domain.com
 
Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request [B]your.hostname.com[/B]​ 4096

For some reason it didn't automatically update these certificates, maybe because it doesn't do the reboots? Is this planned for 1.50.2?
 
Hello SeLLeRoNe,

I mentioned earlier that the configuration worked. But today I tried the check again and dovecot and exim cannot verify the certificate for the domain(s). I have added the domainnames in the /usr/local/directadmin/conf/ca.san_config file. When I test the outcome those domains are not mentioned in the certificate and I only get the hostname.

Are there people here who have e-mail with TLS and Let's Encrypt certificates?
 
After you added the domain did you run again the letsencrypt script? Have you restarted the services after that?

Regards
 
Hi SeLLeRoNE,

Sorry for the delayed reaction.....

Yes, through directadmin, I have selected mail.domain.com (in the Let's encrypt options) and added it manually to the global san config. Restarted Dovecot and Exim but no luck. The mailserver is not picking up the domains for secure connections.

Something I am doing wrong?
 
Ok, so I need to add all the domains I want to secure in the main hostname san_config and run the Letsencrypt script afterwards? And this is the "./letsencrypt.sh"-script for the host or the option in DirectAdmin for each domain?

Tnx in advance.
 
Yes, you need to add all the "mail." in your config for the hostname (but i guess there is a limit of domain you can enter in a single request). Than you need to run letsencrypt.sh script against the server hostname, this would create the cert with all the listed domain.

After that you should be fine, maybe it'll be required a restart for dovecot and exim.

Regards
 
Tnx, it works now, thought the sh script was only in the beta.

What if you have more then 20 domains you want to register with secure e-mail?
 
That's a nice question, but i don't know honestly, maybe Martynas (smtalk) can reply to this, but i think is more likely a limitation on Let's Encrypt service rather than the script.

Regards
 
Why not simply replace all mail.domain.com into mail.hostname.com and let users use mail.hostname.com for their smtp and mail server?
 
Back
Top