| Search website: | |
|
Advanced Server Software
|
Using LetsEncrypt with SurgeMail
This pages shows how to use letsencrypt with SurgeMail to create
SSL certificates.
Stop Apache if its running, and uninstall it (unless you want to
use it)
/etc/initld/apache2 stop
(the above just stops it, lookup your system on google to see how to uninstall properly)
Install Surgemail
Download from https://netwinsite.com/surgemail/download.htmInstall letsencrypt certbot if it isn't on your system:
Linux
https://certbot.eff.org/ will tell you how to install it, just give it your version of linux...
For ubunto it told me to do this:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Windows
Download from:
https://github.com/Lone-Coder/letsencrypt-win-simple/releases
Uncompress into a folder, c:\letsencrypt
Configure SurgeMail to use port 80 and 443, and check remote access.
Modifying /etc/surgemail.ini and adjust g_webmail_port "80" and g_webmail_secure_port "443" and restart surgemail.
tellmail exit
/usr/local/surgemail/surgemail_start.sh
Use letsencrypt/certbot to create your certificates:
Set g_ssl_per_dom "true" if you want certificates for each domain.
Generate the commands from surgemail (7.2d9 and later)
tellmail letsencrypt
This creates a script lets.cmd which you will run from the folder you downloaded letsencrypt to...
Windows
cd \letsencrypt\surgemail\lets.cmd
Linux
cd (path to certbot)
source \surgemail\lets.cmd
Manually (prior to 7.2d9 on linux)
I'm using the -auto variant as certbot isn't installed, the command line switches are identical... replace YOUR.DOMAIN.NAME with the 'a' record for your server not the domain name (so mail.your.domain.name not your.domain.name)
./certbot-auto certonly --webroot -w /usr/local/surgemail/www -d MAIL.YOUR.DOMAIN.NAME
Initially this failed for me as the dns name I had just created took a while to propagate to the letsencrypt systems, if it fails for you it should tell you something useful about why, so read the error you get carefully.
Copy the certificates to surgemail and restart it.
Define g_letsencrypt in surgemail.ini, replace USERNAME with the username you are using!!!
Windows
You can find the correct path from the letsencrypt output:
C:\lets>letsencrypt --manualhost MAIL.DOMAIN.COM --webroot \surgemail\www
Let's Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting
ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\YOURUSERNAME\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
g_letsencrypt "\Users\USERNAME\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org"
Linux
g_letsencrypt "/etc/letsencrypt/live/"
Both
Use tellmail to copy the files into surgemail and reload ssltellmail letsencrypt_copy
Manually (prior to 7.2d9 on linux)
cp /etc/letsencrypt/live/mail3.netwinsite.com/fullchain.pem /usr/local/surgemail/ssl/surge_cert.pem
cp /etc/letsencrypt/live/mail3.netwinsite.com/privkey.pem /usr/local/surgemail/ssl/surge_priv.pem
tellmail exit
/usr/local/surgemail/surgemail_start.sh
Test the new certificate.
https://mail.your.domain.name
Setup cron job to renew certificate (linux only).
You may need a cron job to run certbot and copy the certificates. Refer to LetsEncrypt documentation for up to date information on the best practice for this, my belief is a monthly cron job something like this would be reasonable.
Crontab entry: 0 0 1 * * /root/monthly.sh
Where /root/monthly.sh contains:
#!/bin/bash
./certbot-auto certonly --webroot -w /usr/local/surgemail/www -d MAIL.YOUR.DOMAIN.NAME
# Next lines not required after 7.2d9 as surgemail will scan and copy the files daily...
cp /etc/letsencrypt/live/mail3.netwinsite.com/fullchain.pem /usr/local/surgemail/ssl/surge_cert.pem
cp /etc/letsencrypt/live/mail3.netwinsite.com/privkey.pem /usr/local/surgemail/ssl/surge_priv.pem
tellmail ssl_reload
