This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
internet:mail:mailcleaner_ssl [2021/04/07 10:38] gcooper |
internet:mail:mailcleaner_ssl [2022/10/03 10:54] gcooper |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== MailCleaner LetsEncrypt Free SSL ===== | + | ====== MailCleaner LetsEncrypt Free SSL ====== |
+ | |||
+ | FIXME Unfinished automated renewals | ||
https:// | https:// | ||
- | ==== Single Server | + | ===== Install certbot ===== |
- | Follow this howto: | + | :!: MailCleaner may use a very old Debian base OS that has no '' |
- | https://opensource.com/article/20/6/secure-open-source-antispam | + | < |
+ | wget https://dl.eff.org/certbot-auto | ||
+ | mv certbot-auto | ||
+ | chown root / | ||
+ | chmod 0755 / | ||
+ | </ | ||
- | ==== MailCleaner Cluster | + | ===== Single Server ===== |
- | MailCleaner clusters treat SSL certificates as a **cluster resource** synchronized to all cluster servers. | + | **Follow this howto**: https:// |
- | You can get wildcard SSL certificates from LetsEncrypt, | + | ===== MailCleaner Cluster ===== |
- | https:// | + | <note important> |
- | === DNS-01 | + | <note warning> |
+ | |||
+ | https:// | ||
- | FIXME Needs verification! | + | ==== DNS-01 Howto ==== |
- | == Scripts == | + | === Scripts |
You will need to create a couple of scripts. | You will need to create a couple of scripts. | ||
- | The '' | + | The '' |
< | < | ||
Line 31: | Line 40: | ||
chmod +x / | chmod +x / | ||
</ | </ | ||
+ | |||
+ | FIXME The '' | ||
The '' | The '' | ||
Line 46: | Line 57: | ||
</ | </ | ||
- | == Get the Certificate == | + | === Get the Certificate |
- | :!: We use the '' | + | <note important> |
Use **staging** servers for testing without limits: | Use **staging** servers for testing without limits: | ||
Line 58: | Line 69: | ||
</ | </ | ||
- | Use primary servers (not staging) to get the **actual cert**: | + | Use **primary** servers (not staging) to get the **actual cert**: |
< | < | ||
Line 68: | Line 79: | ||
</ | </ | ||
- | <note important> | + | <note important> |
- | == List the Certificate == | + | === List the Certificate |
< | < | ||
Line 76: | Line 87: | ||
</ | </ | ||
- | == Install the Certificate == | + | === Install the Certificate |
This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS): | This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS): | ||
Line 87: | Line 98: | ||
</ | </ | ||
- | == Renew the Certificate == | + | ==== Renew the Certificate |
- | We don't use the '' | + | <note warning>We don't use the '' |
+ | |||
+ | <note warning> | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | <note important> | ||
^ --keep | ^ --keep | ||
Line 95: | Line 112: | ||
Check and renew cert if it has less than 30 days until expiry: | Check and renew cert if it has less than 30 days until expiry: | ||
- | |||
- | <note warning> | ||
- | |||
- | FIXME | ||
< | < | ||
Line 110: | Line 123: | ||
</ | </ | ||
- | Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. | + | ===== Sync SSL Cert to MailCleaner Slaves ===== |
+ | |||
+ | Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. | ||
< | < | ||
Line 116: | Line 131: | ||
</ | </ | ||
- | == Cron == | + | ===== Testing ===== |
- | + | ||
- | Schedule a nightly renewal check every Sunday at 2:00am: | + | |
- | + | ||
- | < | + | |
- | crontab -e | + | |
- | </ | + | |
- | + | ||
- | Append this line: | + | |
- | + | ||
- | < | + | |
- | 0 2 * * 7 / | + | |
- | </ | + | |
- | + | ||
- | == Testing | + | |
Test the HTTPS cert from most any Linux machine: | Test the HTTPS cert from most any Linux machine: | ||
Line 144: | Line 145: | ||
</ | </ | ||
- | ==== Helpful Commands ==== | + | Show dates: |
+ | |||
+ | < | ||
+ | openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld: | ||
+ | </ | ||
+ | |||
+ | ===== Helpful Commands | ||
See also **[[https:// | See also **[[https:// | ||
Line 159: | Line 166: | ||
certbot delete --cert-name certname.yourtopleveldomain.tld | certbot delete --cert-name certname.yourtopleveldomain.tld | ||
</ | </ | ||
- | |||
- |