Installing Let’s Encrypt Free SSL Certificate on iRedMail

lets-encypt-certificate

Installing SSL certificate on iRedMail, especially Let’s encrypt is not so straightforward. Therefore, I had to write an article about it. If you have been following the installation of iRedMail, then already know I used the iRedMail installer in my tutorial on iRedMail. So the steps to install an SSL certificate is as follows.

Requesting a free cert from Let’s Encrypt

First of all, we need to install certbot to get a certificate from Let’s encrypt.

apt install certbot

Next, verify the request process with a dry run. This will not install the certificate rather verify the DNS records.

certbot certonly --webroot --dry-run -w /var/www/html -d mail.inguide.in

Next, you will be asked for an email address and to accept tos. Answer that.

Now if everything went smoothly and you didn’t get any error then run the following command to get the certificate.

certbot certonly --webroot -w /var/www/html -d mail.inguide.in

After successful execution of this command, SSL certificates were stored in the directory /etc/letsencrypt/live/mail.inguide.in/

Now we need to change the permissions of this directory.

chmod 0644 /etc/letsencrypt/{live,archive}

Install the SSL Certificate for iRedMail

Now we have SSL certificate ready to put in use. Run the following command to backup existing private keys

mv /etc/ssl/certs/iRedMail.crt{,.bak}   
mv /etc/ssl/private/iRedMail.key{,.bak}

It’s time to create a symbolic link to the Let’s Encrypt files, or in simple words to install the certificate

ln -s /etc/letsencrypt/live/mail.inguide.in/fullchain.pem /etc/ssl/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/mail.inguide.in/privkey.pem /etc/ssl/private/iRedMail.key

Restart the services with the following command

systemctl restart dovecot
systemctl restart postfix
systemctl restart nginx
systemctl restart slapd

Now, go refresh the page to load the new certificate.

Automatically renewing the certificate

Install new crontab with the command:

crontab -e

In order to type anything inside crontab press A on your keyboard. And then copy the following line

1   3   *   *   *   certbot renew --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'

After the close the editor with esc + :wq

Conclusion

The brand new Let’s Encrypt SSL is ready on your iRedMail server. You can check it by visiting iRedMail admin, Webmail, etc. Also, you will not receive any warning while submitting emails via SMTP or connecting from popular Email clients like Outlook, Thunderbird, etc.

Let me know in the comments how do you install SSL on iredMail.

9 replies
  1. Michael Archer
    Michael Archer says:

    How about using Cloudflare SSL rather than use lets encrypt. I think it’s better to protect the site via cloudflare.

    helpful information btw. setup my own email server for 20 domains now.

    Reply
  2. Ales
    Ales says:

    I have problem whit command :

    certbot certonly –webroot –dry-run -w /var/www/html -d mail.inguide.in
    Results:
    ive
    root@mail:/home/ally# certbot certonly –webroot –dry-run -w /var/www/html -d mail.diplomaout.live
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for mail.diplomaout.live
    Using the webroot path /var/www/html for all unmatched domains.
    Waiting for verification…
    Challenge failed for domain mail.diplomaout.live
    http-01 challenge for mail.diplomaout.live
    Cleaning up challenges
    Some challenges have failed.

    IMPORTANT NOTES:
    – The following errors were reported by the server:

    Domain: mail.diplomaout.live
    Type: connection
    Detail: Fetching
    http://mail.diplomaout.live/.well-known/acme-challenge/YALAnjbgtjH5FXFj8qqRbNK8R2miQkz2LqyapkysOak:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    root@mail:/home/ally#

    What to do, can you help please ?
    Thx
    Ally
    ally@diplimaout.live

    Reply
  3. calistus
    calistus says:

    How could I add SSL to postal while trying to validate my nailwizz server using credentials from my postal this is the error message I got that my SSL has expired

    Cannot send the confirmation email using the data you provided.

    Here is a transcript of the error message:
    cURL error 60: SSL certificate problem: certificate has expired

    what should I do sir?

    Reply
  4. Ajin
    Ajin says:

    HI, letsencrypt working well for for web page but its showing warning for smtp and imap ports while configuring on outlook and other mailboxes also, any fixes or this..

    Reply

Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.