How to use Let's Encrypt certificate for Exim and Dovecot

corneyl

Verified User
Joined
May 5, 2015
Messages
19
Certificates obtained by using Let's Encrypt are saved with -rw------ rights and owned by diradmin:diradmin.

What is the best way to use such a certificate for Exim/Dovecot? Copying it's content to /etc/exim.{crt,key} is not an option because you have to do that every three months. But with the current rights exim has no read access to the certificate files.

Thanks!
 
Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request [B]your.hostname.com[/B]​ 4096
 
That messed the whole thing up, because I already had a certificate for that domain, and i think that a new key was generated by this command which resulted in nginx going down or something like that. At least i got the following error:
Code:
failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values
nginx: configuration file /etc/nginx/nginx.conf test failed
But in the meantime i also tried to request a certificate for hostname.com, maybe that messed things up.

But still, what does this command exactly? Where is the generated certificate saved? It seems to be at /etc/httpd/conf/ssl.key/server.key and /etc/httpd/conf/ssl.crt/server.crt, but that certificate is for pop.server.hostname.com, smtp.server.hostname.com, server.hostname.com, www.server.hostname.com, mail.server.hostname.com, ftp.server.hostname.com, while i want to use pop.hostname.com etc. so without the server part.

So I'm still confused on how to do that, and my uptime monitoring can still not connect using SSL, while slllabs reports an A configuration...
 
That command should be used for server hostname only (output form the command "hostname"). It setups the cert automatically for Exim/Dovecot, FTP service, WWW server.

Paths where the certs are saved:
Code:
/etc/exim.cert
/etc/pure-ftpd.pem
/etc/nginx/ssl.crt/server.crt
/etc/httpd/conf/ssl.crt/server.crt
/usr/local/directadmin/conf/cacert.pem
 
Ok, thanks, that is very helpful and convenient!

Is there also a san_config file where one can change the domains for which the certificate should be valid?
 
Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request [B]your.hostname.com[/B]​ 4096

Thank you for this, I was looking for the same thing. Just to be sure, requesting it manually, will it also be automatically renewed?
 
Not sure if I am in the right thread, but I am trying to use this to not having Outlook asking me for the certificate. I am running a server named vps.server.com and have a domain domain.nl. letsencrypt=1.

Now I have succesfully installed the certificate on domain.nl.

When I surf to www.domain.nl, everything is fine. But when I enter mail.domain.nl in the Outlook settings, I still get the message that the certificate is not valid. Am I forgetting something?
 
Ok, executed the command for the user's domain. It states that a key is generated succesfully, but still the wrong certificate is issued (checked using http://www.checktls.com/perl/TestReceiver.pl):

Code:
 /usr/local/directadmin/scripts/letsencrypt.sh request domain.nl 4096 "" /var/www/html/
Getting challenge for domain.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for [url]www.domain.nl[/url] from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.domain.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for domain.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/user/domains/domain.nl.key.new"
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................................................++
...........................................................++
e is 65537 (0x10001)
Certificate for domain.nl has been created successfully!
 
Last edited:
Still no success.

Just to be sure:
 
I'm somewhat fighting with this issue too at the moment.

The hostname LetsEncrypt-cert seems to be installed properly. Same goes for domains.
I've given certain domains a seperate LetsEncrypt-cert as well, this seems to work good for https-browsing, but with emails from the domains, when trying to use the LE-cert for a subdomain like "mail.domain.nl", emails sent from this domains are being rejected because the domainname doesn't match the hostname in the cert.

Testing an email-address ([email protected]) at CheckTLS.com, gives this result;
Code:
[001.257] Cert VALIDATED: ok
[001.257] Cert Hostname DOES NOT VERIFY (mail.mydomain.nl != server.hostname.net)
[001.257] So email is encrypted but the host is not verified

So, how does one get this to work properly?

(I think these kind of things should/could be more clearly handled by DA.
DA could have a table or extra column in DNS Administration, showing which domains have certs installed, and also which subdomains are incorporated into the cert as well.)


Edit:
Just found out the cert-error is also triggered on domains I haven't installed a seperate LE-cert for, so something isn't 'connecting' yet in my setup it seems.

-------
2nd EDIT:
Found out the following;

Serivce : Domain --------> Domain in Cert hostname
Apache : mydomain.nl -> mydomain.nl -> Match
Exim : mail.mydomain.nl -> server.hostname.net -> No match
 
Last edited:
I just discovered this thread and no answer since last month.

I would like to use letsencrypt only for exim and dovecot, not for www.
But on the current (default) exim.key and exim.cert, this is also happening:
Exim : mail.mydomain.nl -> server.hostname.net -> No match

1.) Is it even possible to only use Let's encrypt for Exim and dovecot and not for www?
2.) Has somebody found a solution to this issue (mentioned above) yet?
 
I tried requesting a certficate for my vps, but it ended up without succes. Requesting certificates for the domains that are hosted on that server works perfectly though!

I'm using letsencrypt=1 in directadmin.conf:
Code:
# cd /usr/local/directadmin/scripts
[root@server03 scripts]# ./letsencrypt.sh request server03.myserver.eu 4096
Setting up certificate for a hostname: server03.myserver.eu
Generating 4096 bit RSA key for let's encrypt account...
openssl genrsa 4096 > "/usr/local/directadmin/conf/letsencrypt.key"
Generating RSA private key, 4096 bit long modulus
.++
..............................................................................................++
e is 65537 (0x10001)
Account has been registered.
Getting challenge for server03.myserver.eu from acme-server...
./letsencrypt.sh: line 319: /var/www/html/.well-known/acme-challenge/: Is a directory
./letsencrypt.sh: line 322: [: -ne: unary operator expected
Waiting for domain verification...
rm: cannot remove `/var/www/html/.well-known/acme-challenge/': Is a directory
Challenge is . Details: . Exiting...

The san_config file is created correctly:
Code:
# cat /usr/local/directadmin/conf/ca.san_config
[ req_distinguished_name ]
CN = server03.myserver.eu
[ req ]
distinguished_name = req_distinguished_name
[SAN]
subjectAltName=DNS:server03.myserver.eu, DNS:www.server03.myserver.eu, DNS:mail.server03.myserver.eu, DNS:ftp.server03.myserver.eu, DNS:pop.server03.myserver.eu, DNS:smtp.server03.myserver.eu

Like I said, requesting certificates for hosted domains works well. Any ideas on this?

Regards,
Danny
 
Back
Top