Let's Encrypt Setup After SlackerMail Script Install

If you installed SlackerMail from the SlackerMail.sh script, and you want to switch from self signed certs to Let's Encrypt certs, below are the instructions.

  1. First prepare for the Let’s Encrypt’s verification challenge with: 
    Apache Web Server
mkdir -p /var/www/htdocs/.well-known/acme-challenge
chgrp -R apache /var/www/htdocs/.well-known

Nginx Web Server
mkdir -p /var/www/html/.well-known/acme-challenge
chgrp -R nginx /var/www/html/.well-known
  2. Then create a new /etc/dehydrated/config file with the following echo command, and edit it with your email address: 
    Apache Web Server
echo -e 'CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
CONTACT_EMAIL="admin@example.org"' > /etc/dehydrated/config

Nginx Web Server
echo -e 'CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
WELLKNOWN="/var/www/html/.well-known/acme-challenge"
CONTACT_EMAIL="admin@example.org"' > /etc/dehydrated/config
  3. Then create the /etc/dehydrated/domains.txt file with the following echo command, and then edit it for your FQDN and subdomains: 
    echo -e 'mail.example.org www.example.org example.org' > /etc/dehydrated/domains.txt
  4. Next restart Web Server with: 
    Apache Web Server
/etc/rc.d/rc.httpd restart

Nginx Web Server
/etc/rc.d/rc.nginx restart

Notice! Make sure you can reach your domain at https://example.org before you proceed with Let's Encrypt SSL certs.
  5. Run the dehydrated commands below one line at a time: 
    /usr/bin/dehydrated --register --accept-terms
dehydrated -c
  6. After dehydrated has installed the Let's Encrypt certs, run the following chmod commands. Make sure to adjust for your FQDN: 
    chmod 0755 /etc/dehydrated/certs /etc/dehydrated/certs/mail.example.org
chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*}
  7. If everything seemed to work, then edit /etc/httpd/extra/httpd-ssl.conf for Apache or /etc/nginx/conf.d/mailserver.conf for Nginx, and
    comment or delete the reference to the old self signed certs and add the reference to the Let's Encrypt certs, and of course adjust for
    your FQDN: 
    Apache Web Server
SSLCertificateFile "/etc/dehydrated/certs/mail.example.org/fullchain.pem"
SSLCertificateKeyFile "/etc/dehydrated/certs/mail.example.org/privkey.pem"

Restart Apache to use the new certs: /etc/rc.d/rc.httpd restart

Nginx Web Server
ssl_certificate /etc/dehydrated/certs/mail.example.org/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mail.example.org/privkey.pem;

Restart Nginx to use the new certs: /etc/rc.d/rc.nginx restart
  8. You can use the Let's Encrypt certs for Postfix, Dovecot, and Webmin.

    Postfix - Put the following reference to the Let's Encrypt certs in /etc/postfix/main.cf 
    smtpd_tls_key_file= /etc/dehydrated/certs/mail.example.org/privkey.pem
smtpd_tls_cert_file= /etc/dehydrated/certs/mail.example.org/fullchain.pem
smtpd_tls_CAfile = /etc/dehydrated/certs/mail.example.org/fullchain.pem

Restart Postfix to use the new certs: /etc/rc.d/rc.postfix restart
    Dovecot - Put the following reference to the Let's Encrypt certs in /etc/dovecot/conf.d/10-ssl.conf 
    ssl_cert = </etc/dehydrated/certs/mail.example.org/fullchain.pem
ssl_key = </etc/dehydrated/certs/mail.example.org/privkey.pem

Restart Dovecot to use the new certs: /etc/rc.d/rc.dovecot restart
    Webmin - Put the following reference to the Let's Encrypt certs in /etc/webmin/miniserv.conf 
    keyfile=/etc/dehydrated/certs/mail.example.org/privkey.pem
certfile=/etc/dehydrated/certs/mail.example.org/fullchain.pem

Restart Webmin to use the new certs: /etc/webmin/restart
  9. Let's Encrypt certs are good for 90 days, so you have to renew them. We'll create a cron.weekly job to check for renewals,
    and send you an email with the results with the following echo command, and of course edit for your FQDN. 
    echo -e '#!/bin/sh
MYLOG=/var/log/dehydrated
echo "Checking cert renewals at `date`" > $MYLOG
/usr/bin/dehydrated -c >> $MYLOG 2>&1
chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*}
mail -s "Let'\''s Encrypt Certs Renewal" -r dehydrated@example.org root@example.org < /var/log/dehydrated' > /etc/cron.weekly/dehydrated-renew

Then make it executable with the following:

chmod 0755 /etc/cron.weekly/dehydrated-renew
    Then run dehydrated-renew to see if it's working and logging properly: 
    /etc/cron.weekly/dehydrated-renew
cat /var/log/dehydrated
    That should do it for Let's Encrypt.




Powered by: Slackware64-15.0 Slackware Lunux Apache v2.4.62 Apache SlackerMail v0.48.0 SlackerMail

Please send any feedback to: wjack@the-slacker.com