Table of Contents

MailCleaner LetsEncrypt Free SSL

FIXME Unfinished automated renewals

https://letsencrypt.org/

Install certbot

:!: MailCleaner may use a very old Debian base OS that has no certbot package. 

wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto

Single Server

Follow this howto: https://opensource.com/article/20/6/secure-open-source-antispam

MailCleaner Cluster

MailCleaner clusters treat SSL certificates as a cluster resource synchronized to all cluster servers. This means you need a wildcard SSL certificate for a MailCleaner cluster.
LetsEncrypt wildcard SSL certificates require you use a DNS-01 challenge.

https://letsencrypt.org/docs/challenge-types/

DNS-01 Howto

Scripts

You will need to create a couple of scripts.

The set-certificate.pl script is used to apply the LE cert after it is acquired. 

wget https://gist.github.com/victorlclopes/f5aa081f1a9c76466aaf3f3dc5bd60b7/raw/c97a1400bb30e4439622b089f146b8cb8dc886b7/set-certificate.pl -O /usr/local/bin/set-certificate.pl
chmod +x /usr/local/bin/set-certificate.pl

FIXME The deploylecert.sh script is not used here as only manual renewal is shown.

The deploylecert.sh script must be edited and is called from cron during certificate renewals. It just calls the generic set-certificate.pl script with your details. 

cat << EOF > /usr/local/bin/deploylecert.sh
#!/bin/sh
#
/usr/local/bin/set-certificate.pl --set_web --set_mta_in --set_mta_out \
 --key /etc/letsencrypt/live/yourtopleveldomain.tld/privkey.pem \
 --data /etc/letsencrypt/live/yourtopleveldomain.tld/cert.pem \
 --chain /etc/letsencrypt/live/yourtopleveldomain.tld/chain.pem
EOF
chmod +x /usr/local/bin/deploylecert.sh

Get the Certificate

We must use the manual plugin and the DNS-01 challenge for a LetsEncrypt wildcard certificate.

Use staging servers for testing without limits: 

certbot-auto certonly --manual --preferred-challenges dns \
 --email you@youremailaddress.tld --no-eff-email --agree-tos --staging \
 --debug-challenges -d \*.yourtopleveldomain.tld -d yourtopleveldomain.tld

Use primary servers (not staging) to get the actual cert: 

certbot-auto certonly --manual --preferred-challenges dns \
 --email you@youremailaddress.tld --no-eff-email --agree-tos \
 --debug-challenges -d \*.yourtopleveldomain.tld -d yourtopleveldomain.tld \
 --pre-hook "/usr/mailcleaner/etc/init.d/apache stop" \
 --post-hook "/usr/mailcleaner/etc/init.d/apache start"
You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing. YMMV

List the Certificate

ls /etc/letsencrypt/live/yourtopleveldomain.tld/

Install the Certificate

This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS): 

/usr/local/bin/set-certificate.pl --set_web --set_mta_in --set_mta_out \
 --key /etc/letsencrypt/live/yourtopleveldomain.tld/privkey.pem \
 --data /etc/letsencrypt/live/yourtopleveldomain.tld/cert.pem \
 --chain /etc/letsencrypt/live/yourtopleveldomain.tld/chain.pem

Renew the Certificate Manually

We don't use the certbot renew function because it doesn't work with DNS-01 (manual).
We must either renew manually, adding a new _acme-challenge TXT record each time, or use a DNS provider with a supported API (not shown here).
Use exactly the same domain names as when the original cert was created or another cert will be created instead of renewing the existing one.
You will have to add (not replace) a DNS TXT record for each domain and SAN specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing.
–keep will not renew the cert until it has 30 days or less to expire (i.e. after 60 days)
–force-renewal will force the renewal and is subject to rate limitations

Check and renew cert if it has less than 30 days until expiry: 

/usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh

Force cert renewal: 

/usr/local/bin/certbot-auto certonly --manual --force-renewal --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh

Sync SSL Cert to MailCleaner Slaves

Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. Do this at the slave. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now. 

/root/Updater4MC/updater4mc.sh

Testing

Test the HTTPS cert from most any Linux machine: 

openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:443 -servername mailcleanermaster.yourtopleveldomain.tld < /dev/null

Test the inbound SMTP cert: 

openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null

Show dates: 

openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl x509 -noout -dates

Helpful Commands

See also certbot User Guide

List LE certificates: 

certbot-auto certificates

Delete a cert you don't need: 

certbot delete --cert-name certname.yourtopleveldomain.tld