Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » mailcleaner_ssl
Trace:
internet:mail:mailcleaner_ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
internet:mail:mailcleaner_ssl [2021/04/07 10:38]
gcooper 		internet:mail:mailcleaner_ssl [2022/10/03 10:53]
gcooper
Line 1: Line 1:
-===== MailCleaner LetsEncrypt Free SSL =====+====== MailCleaner LetsEncrypt Free SSL =====
 + 
 +FIXME Unfinished automated renewals
  
 https://letsencrypt.org/ https://letsencrypt.org/
  
-==== Single Server ====+===== Install certbot =====
  
-Follow this howto:+:!: MailCleaner may use a very old Debian base OS that has no ''certbot'' package.
  
-https://opensource.com/article/20/6/secure-open-source-antispam+<file> 
 +wget https://dl.eff.org/certbot-auto 
 +mv certbot-auto /usr/local/bin/certbot-auto 
 +chown root /usr/local/bin/certbot-auto 
 +chmod 0755 /usr/local/bin/certbot-auto 
 +</file>
  
-==== MailCleaner Cluster ====+===== Single Server =====
  
-MailCleaner clusters treat SSL certificates as a **cluster resource** synchronized to all cluster servers.  This means **you need a wildcard SSL certificate** for a MailCleaner cluster.+**Follow this howto**: https://opensource.com/article/20/6/secure-open-source-antispam
  
-You can get wildcard SSL certificates from LetsEncrypt, but not using the common HTTP-01 challenge.  That's why you might want to use a **DNS-01 challenge** instead.+===== MailCleaner Cluster =====
  
-https://letsencrypt.org/docs/challenge-types/+<note important>MailCleaner clusters treat SSL certificates as a **cluster resource** synchronized to all cluster servers This means **you need a wildcard SSL certificate** for a MailCleaner cluster.</note>
  
-=== DNS-01 Howto ===+<note warning>LetsEncrypt wildcard SSL certificates require you use a **DNS-01 challenge**.</note> 
 + 
 +https://letsencrypt.org/docs/challenge-types/
  
-FIXME Needs verification!+==== DNS-01 Howto ====
  
-== Scripts ==+=== Scripts ===
  
 You will need to create a couple of scripts. You will need to create a couple of scripts.
  
-The ''set-certificate.pl'' script is **used to apply the LE cert after it is acquired**.+The ''set-certificate.pl'' script is used to **apply the LE cert after it is acquired**.
  
 <file> <file>
Line 31: Line 40:
 chmod +x /usr/local/bin/set-certificate.pl chmod +x /usr/local/bin/set-certificate.pl
 </file> </file>
 +
 +FIXME The ''deploylecert.sh'' script is **not used** here as only **manual renewal** is shown.
  
 The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals.  It just calls the generic ''set-certificate.pl'' script with your details. The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals.  It just calls the generic ''set-certificate.pl'' script with your details.
Line 46: Line 57:
 </file> </file>
  
-== Get the Certificate ==+=== Get the Certificate ===
  
-:!: We use the ''manual'' plugin and the ''DNS-01'' challenge.+<note important>We must use the ''manual'' plugin and the ''DNS-01'' challenge for a LetsEncrypt wildcard certificate.</note>
  
 Use **staging** servers for testing without limits: Use **staging** servers for testing without limits:
Line 58: Line 69:
 </file> </file>
    
-Use primary servers (not staging) to get the **actual cert**:+Use **primary** servers (not staging) to get the **actual cert**:
    
 <file> <file>
Line 68: Line 79:
 </file> </file>
  
-<note important>You will have to add a DNS TXT record for each domain specified, two in this case.  Wait for enough time for your DNS TXT records to populate on all your DNS servers.  I'd wait a full minute or more before continuing.</note>+<note important>You will have to add a DNS TXT record for each domain specified, two in this case.  Wait for enough time for your DNS TXT records to propagate to all your DNS servers.  I'd wait a full minute or more before continuing. YMMV</note>
  
-== List the Certificate ==+=== List the Certificate ===
  
 <file> <file>
Line 76: Line 87:
 </file> </file>
  
-== Install the Certificate ==+=== Install the Certificate ===
  
 This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS): This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS):
Line 87: Line 98:
 </file> </file>
  
-== Renew the Certificate ==+===== Renew the Certificate Manually =====
  
-We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).+<note warning>We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).</note> 
 + 
 +<note warning>We must either renew manually, adding a new ''_acme-challenge'' TXT record each time, or use a DNS provider with a supported API (not shown here).</note> 
 + 
 +<note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note> 
 + 
 +<note important>You will have to **add** (not replace) a DNS TXT record for each domain and SAN specified, two in this case.  Wait for enough time for your DNS TXT records to propagate to all your DNS servers.  I'd wait a full minute or more before continuing.</note>
  
 ^ --keep          |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) | ^ --keep          |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) |
Line 95: Line 112:
  
 Check and renew cert if it has less than 30 days until expiry: Check and renew cert if it has less than 30 days until expiry:
- 
-<note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note> 
- 
-FIXME 
  
 <file> <file>
Line 110: Line 123:
 </file> </file>
  
-Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves.  Do this at the slave.  This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now.+===== Sync SSL Cert to MailCleaner Slaves ===== 
 + 
 +Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves.  **Do this at the slave**.  This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now.
  
 <file> <file>
Line 116: Line 131:
 </file> </file>
  
-== Cron == +===== Testing =====
- +
-Schedule a nightly renewal check every Sunday at 2:00am:  +
- +
-<file> +
-crontab -e +
-</file> +
- +
-Append this line: +
- +
-<file> +
-0 2 * * 7 /usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh +
-</file> +
- +
-== Testing ==+
  
 Test the HTTPS cert from most any Linux machine: Test the HTTPS cert from most any Linux machine:
Line 144: Line 145:
 </file> </file>
  
-==== Helpful Commands ====+Show dates: 
 + 
 +<file> 
 +openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl x509 -noout -dates 
 +</file> 
 + 
 +===== Helpful Commands =====
  
 See also **[[https://certbot.eff.org/docs/using.html|certbot User Guide]]** See also **[[https://certbot.eff.org/docs/using.html|certbot User Guide]]**
Line 159: Line 166:
 certbot delete --cert-name certname.yourtopleveldomain.tld certbot delete --cert-name certname.yourtopleveldomain.tld
 </file> </file>
- 
- 
internet/mail/mailcleaner_ssl.txt · Last modified: 2022/10/03 10:54 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki