====== MailCleaner LetsEncrypt Free SSL ======
FIXME Unfinished automated renewals
https://letsencrypt.org/
===== Install certbot =====
:!: MailCleaner may use a very old Debian base OS that has no ''certbot'' package.
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
===== Single Server =====
**Follow this howto**: https://opensource.com/article/20/6/secure-open-source-antispam
===== MailCleaner Cluster =====
MailCleaner clusters treat SSL certificates as a **cluster resource** synchronized to all cluster servers. This means **you need a wildcard SSL certificate** for a MailCleaner cluster.
LetsEncrypt wildcard SSL certificates require you use a **DNS-01 challenge**.
https://letsencrypt.org/docs/challenge-types/
==== DNS-01 Howto ====
=== Scripts ===
You will need to create a couple of scripts.
The ''set-certificate.pl'' script is used to **apply the LE cert after it is acquired**.
wget https://gist.github.com/victorlclopes/f5aa081f1a9c76466aaf3f3dc5bd60b7/raw/c97a1400bb30e4439622b089f146b8cb8dc886b7/set-certificate.pl -O /usr/local/bin/set-certificate.pl
chmod +x /usr/local/bin/set-certificate.pl
FIXME The ''deploylecert.sh'' script is **not used** here as only **manual renewal** is shown.
The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals. It just calls the generic ''set-certificate.pl'' script with your details.
cat << EOF > /usr/local/bin/deploylecert.sh
#!/bin/sh
#
/usr/local/bin/set-certificate.pl --set_web --set_mta_in --set_mta_out \
--key /etc/letsencrypt/live/yourtopleveldomain.tld/privkey.pem \
--data /etc/letsencrypt/live/yourtopleveldomain.tld/cert.pem \
--chain /etc/letsencrypt/live/yourtopleveldomain.tld/chain.pem
EOF
chmod +x /usr/local/bin/deploylecert.sh
=== Get the Certificate ===
We must use the ''manual'' plugin and the ''DNS-01'' challenge for a LetsEncrypt wildcard certificate.
Use **staging** servers for testing without limits:
certbot-auto certonly --manual --preferred-challenges dns \
--email you@youremailaddress.tld --no-eff-email --agree-tos --staging \
--debug-challenges -d \*.yourtopleveldomain.tld -d yourtopleveldomain.tld
Use **primary** servers (not staging) to get the **actual cert**:
certbot-auto certonly --manual --preferred-challenges dns \
--email you@youremailaddress.tld --no-eff-email --agree-tos \
--debug-challenges -d \*.yourtopleveldomain.tld -d yourtopleveldomain.tld \
--pre-hook "/usr/mailcleaner/etc/init.d/apache stop" \
--post-hook "/usr/mailcleaner/etc/init.d/apache start"
You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing. YMMV
=== List the Certificate ===
ls /etc/letsencrypt/live/yourtopleveldomain.tld/
=== Install the Certificate ===
This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS):
/usr/local/bin/set-certificate.pl --set_web --set_mta_in --set_mta_out \
--key /etc/letsencrypt/live/yourtopleveldomain.tld/privkey.pem \
--data /etc/letsencrypt/live/yourtopleveldomain.tld/cert.pem \
--chain /etc/letsencrypt/live/yourtopleveldomain.tld/chain.pem
==== Renew the Certificate Manually ====
We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).
We must either renew manually, adding a new ''_acme-challenge'' TXT record each time, or use a DNS provider with a supported API (not shown here).
Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.
You will have to **add** (not replace) a DNS TXT record for each domain and SAN specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing.
^ --keep |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) |
^ --force-renewal |will force the renewal and is subject to rate limitations |
Check and renew cert if it has less than 30 days until expiry:
/usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh
Force cert renewal:
/usr/local/bin/certbot-auto certonly --manual --force-renewal --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh
===== Sync SSL Cert to MailCleaner Slaves =====
Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. **Do this at the slave**. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now.
/root/Updater4MC/updater4mc.sh
===== Testing =====
Test the HTTPS cert from most any Linux machine:
openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:443 -servername mailcleanermaster.yourtopleveldomain.tld < /dev/null
Test the inbound SMTP cert:
openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null
Show dates:
openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl x509 -noout -dates
===== Helpful Commands =====
See also **[[https://certbot.eff.org/docs/using.html|certbot User Guide]]**
List LE certificates:
certbot-auto certificates
Delete a cert you don't need:
certbot delete --cert-name certname.yourtopleveldomain.tld