Installing Let’s Encrypt Free SSL Certificate on iRedMail
Installing an SSL certificate on iRedMail, especially Let’s Encrypt is not so straightforward. Therefore, I had to write an article about it. If you have been following the installation of iRedMail, then already know I used the iRedMail installer in my tutorial on iRedMail. So the steps to install an SSL certificate are as follows.
Requesting a free cert from Let’s Encrypt
First of all, we need to install certbot to get a certificate from Let’s Encrypt.
apt install certbot
Next, verify the request process with a dry run. This will not install the certificate but rather verify the DNS records.
certbot certonly --webroot --dry-run -w /var/www/html -d mail.inlearn.in
Next, you will be asked for an email address and to accept tos. Answer that.
Now if everything went smoothly and you didn’t get any error then run the following command to get the certificate.
certbot certonly --webroot -w /var/www/html -d mail.inlearn.in
After successful execution of this command, SSL certificates were stored in the directory /etc/letsencrypt/live/mail.inlearn.in/
Now we need to change the permissions of this directory.
chmod 0644 /etc/letsencrypt/{live,archive}
Install the SSL Certificate for iRedMail
Now we have an SSL certificate ready to put in use. Run the following command to backup existing private keys
mv /etc/ssl/certs/iRedMail.crt{,.bak}
mv /etc/ssl/private/iRedMail.key{,.bak}
It’s time to create a symbolic link to the Let’s Encrypt files, or in simple words to install the certificate
ln -s /etc/letsencrypt/live/mail.inguide.in/fullchain.pem /etc/ssl/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/mail.inguide.in/privkey.pem /etc/ssl/private/iRedMail.key
Restart the services with the following command
systemctl restart dovecot
systemctl restart postfix
systemctl restart nginx
systemctl restart slapd
Now, go refresh the page to load the new certificate.
Automatically renewing the certificate
Install new crontab with the command:
crontab -e
To type anything inside crontab press A on your keyboard. And then copy the following line
1 3 * * * certbot renew --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'
After the close the editor with esc + :wq
Conclusion
The brand new Let’s Encrypt SSL is ready on your iRedMail server. You can check it by visiting iRedMail admin, Webmail, etc. Also, you will not receive any warning while submitting emails via SMTP or connecting from popular Email clients like Outlook, Thunderbird, etc.
Let me know in the comments how you install SSL on iredMail.
How about using Cloudflare SSL rather than use lets encrypt. I think it’s better to protect the site via cloudflare.
helpful information btw. setup my own email server for 20 domains now.
Well, I haven’t thought about using Cloudflare. But thanks for the information, I will check if we can use Cloudflare SSL.
Please do you have a tutorial like this one for installing let’s encrypt on PowerMTA?
Noted
I have problem whit command :
certbot certonly –webroot –dry-run -w /var/www/html -d mail.inguide.in
Results:
ive
root@mail:/home/ally# certbot certonly –webroot –dry-run -w /var/www/html -d mail.diplomaout.live
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.diplomaout.live
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain mail.diplomaout.live
http-01 challenge for mail.diplomaout.live
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: mail.diplomaout.live
Type: connection
Detail: Fetching
http://mail.diplomaout.live/.well-known/acme-challenge/YALAnjbgtjH5FXFj8qqRbNK8R2miQkz2LqyapkysOak:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root@mail:/home/ally#
What to do, can you help please ?
Thx
Ally
ally@diplimaout.live
Please open your Firewall
How could I add SSL to postal while trying to validate my nailwizz server using credentials from my postal this is the error message I got that my SSL has expired
Cannot send the confirmation email using the data you provided.
Here is a transcript of the error message:
cURL error 60: SSL certificate problem: certificate has expired
what should I do sir?
Ask your questions in the right place. If you are SSL is not enabled on postal don’t use “HTTPS” in API on Mailwizz. Simply use “http”
HI, letsencrypt working well for for web page but its showing warning for smtp and imap ports while configuring on outlook and other mailboxes also, any fixes or this..
my mail server crashed after your setup. so can be what it is not actual anymore?
sorry. my fault. accidentally pressed wrong button in domain directory. sorry.