Let's Encrypt Setup After SlackerMail Script Install

1. First prepare for the Let’s Encrypt’s verification challenge with:

   Apache Web Server
   mkdir -p /var/www/htdocs/.well-known/acme-challenge
   chgrp -R apache /var/www/htdocs/.well-known
   
   Nginx Web Server
   mkdir -p /var/www/html/.well-known/acme-challenge
   chgrp -R nginx /var/www/html/.well-known
   

2. Then create a new /etc/dehydrated/config file with the following echo command, and edit it with your email address:

   Apache Web Server
   echo -e 'CA="https://acme-v02.api.letsencrypt.org/directory"
   CHALLENGETYPE="http-01"
   WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
   CONTACT_EMAIL="admin@example.org"' > /etc/dehydrated/config
   
   Nginx Web Server
   echo -e 'CA="https://acme-v02.api.letsencrypt.org/directory"
   CHALLENGETYPE="http-01"
   WELLKNOWN="/var/www/html/.well-known/acme-challenge"
   CONTACT_EMAIL="admin@example.org"' > /etc/dehydrated/config
   

3. Then create the /etc/dehydrated/domains.txt file with the following echo command, and then edit it for your FQDN and subdomains:

   echo -e 'mail.example.org www.example.org example.org' > /etc/dehydrated/domains.txt
   

4. Next restart Web Server with:

   Apache Web Server
   /etc/rc.d/rc.httpd restart
   
   Nginx Web Server
   /etc/rc.d/rc.nginx restart
   
   Notice! Make sure you can reach your domain at https://example.org before you proceed with Let's Encrypt SSL certs.
   

5. Run the dehydrated commands below one line at a time:

   /usr/bin/dehydrated --register --accept-terms
   dehydrated -c
   

6. After dehydrated has installed the Let's Encrypt certs, run the following chmod commands. Make sure to adjust for your FQDN:

   chmod 0755 /etc/dehydrated/certs /etc/dehydrated/certs/mail.example.org
   chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*}
   

7. If everything seemed to work, then edit /etc/httpd/extra/httpd-ssl.conf for Apache or /etc/nginx/conf.d/mailserver.conf for Nginx, and
   comment or delete the reference to the old self signed certs and add the reference to the Let's Encrypt certs, and of course adjust for
   your FQDN:

   Apache Web Server
   SSLCertificateFile "/etc/dehydrated/certs/mail.example.org/fullchain.pem"
   SSLCertificateKeyFile "/etc/dehydrated/certs/mail.example.org/privkey.pem"
   
   Restart Apache to use the new certs: /etc/rc.d/rc.httpd restart
   
   Nginx Web Server
   ssl_certificate /etc/dehydrated/certs/mail.example.org/fullchain.pem;
   ssl_certificate_key /etc/dehydrated/certs/mail.example.org/privkey.pem;
   
   Restart Nginx to use the new certs: /etc/rc.d/rc.nginx restart
   

8. You can use the Let's Encrypt certs for Postfix, Dovecot, and Webmin.
   
   Postfix - Put the following reference to the Let's Encrypt certs in /etc/postfix/main.cf

   smtpd_tls_key_file= /etc/dehydrated/certs/mail.example.org/privkey.pem
   smtpd_tls_cert_file= /etc/dehydrated/certs/mail.example.org/fullchain.pem
   
   Restart Postfix to use the new certs: /etc/rc.d/rc.postfix restart
   

   Dovecot - Put the following reference to the Let's Encrypt certs in /etc/dovecot/conf.d/10-ssl.conf

   ssl_cert = </etc/dehydrated/certs/mail.example.org/fullchain.pem
   ssl_key = </etc/dehydrated/certs/mail.example.org/privkey.pem
   
   Restart Dovecot to use the new certs: /etc/rc.d/rc.dovecot restart
   

   Webmin - Put the following reference to the Let's Encrypt certs in /etc/webmin/miniserv.conf

   keyfile=/etc/dehydrated/certs/mail.example.org/privkey.pem
   certfile=/etc/dehydrated/certs/mail.example.org/fullchain.pem
   
   Restart Webmin to use the new certs: /etc/webmin/restart
   

9. Let's Encrypt certs are good for 90 days, so you have to renew them. We'll create a cron.weekly job to check for renewals,
   and send you an email with the results with the following echo command, and of course edit for your FQDN.

   echo -e '#!/bin/sh
   MYLOG=/var/log/dehydrated
   echo "Checking cert renewals at `date`" > $MYLOG
   /usr/bin/dehydrated -c >> $MYLOG 2>&1
   chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*}
   mail -s "Let'\''s Encrypt Certs Renewal" -r dehydrated@example.org root@example.org < /var/log/dehydrated
   
   DATE1=$(date +"%m%d%Y")
   DATE2=$(date +"%m%d%Y" -r /etc/dehydrated/certs/mail.example.org/cert.pem)
   
   if [ "$DATE1" == "$DATE2" ]; then
      /etc/rc.d/rc.httpd restart >/dev/null 2>&1
      /etc/rc.d/rc.nginx restart >/dev/null 2>&1
      /etc/webmin/restart >/dev/null 2>&1
      /etc/rc.d/rc.postfix restart >/dev/null 2>&1
      /etc/rc.d/rc.dovecot restart >/dev/null 2>&1 
   fi' > /etc/cron.weekly/dehydrated-renew
   

   Then make it executable with the following:
   

   chmod 0755 /etc/cron.weekly/dehydrated-renew
   

   Then run /etc/cron.weekly/dehydrated-renew and check the log to see if it's working and logging properly:

   /etc/cron.weekly/dehydrated-renew
   cat /var/log/dehydrated
   

   That should do it for Let's Encrypt.

   SSL Labs - Great place to check how your SSL implementation is working. I get a score of A+ with this server. You can't do these test with
   self signed certificates, so run this test after you get the Let's Encrypt certs.

Powered by: Slackware64-15.0 Apache v2.4.66 SlackerMail v0.60.1

Please send any feedback to: wjack@the-slacker.com