Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
internet:mail:mailcleaner_ssl [2021/06/17 09:54] gcooper |
internet:mail:mailcleaner_ssl [2022/10/03 10:54] (current) gcooper |
====== MailCleaner LetsEncrypt Free SSL ====== | ====== MailCleaner LetsEncrypt Free SSL ====== |
| |
| FIXME Unfinished automated renewals |
| |
https://letsencrypt.org/ | https://letsencrypt.org/ |
===== Single Server ===== | ===== Single Server ===== |
| |
Follow this howto: | **Follow this howto**: https://opensource.com/article/20/6/secure-open-source-antispam |
| |
https://opensource.com/article/20/6/secure-open-source-antispam | |
| |
===== MailCleaner Cluster ===== | ===== MailCleaner Cluster ===== |
| |
MailCleaner clusters treat SSL certificates as a **cluster resource** synchronized to all cluster servers. This means **you need a wildcard SSL certificate** for a MailCleaner cluster. | <note important>MailCleaner clusters treat SSL certificates as a **cluster resource** synchronized to all cluster servers. This means **you need a wildcard SSL certificate** for a MailCleaner cluster.</note> |
| |
You can get wildcard SSL certificates from LetsEncrypt, but not using the common HTTP-01 challenge. That's why you might want to use a **DNS-01 challenge** instead. | <note warning>LetsEncrypt wildcard SSL certificates require you use a **DNS-01 challenge**.</note> |
| |
https://letsencrypt.org/docs/challenge-types/ | https://letsencrypt.org/docs/challenge-types/ |
| |
==== DNS-01 Howto ==== | ==== DNS-01 Howto ==== |
| |
FIXME Needs verification! | |
| |
=== Scripts === | === Scripts === |
chmod +x /usr/local/bin/set-certificate.pl | chmod +x /usr/local/bin/set-certificate.pl |
</file> | </file> |
| |
| FIXME The ''deploylecert.sh'' script is **not used** here as only **manual renewal** is shown. |
| |
The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals. It just calls the generic ''set-certificate.pl'' script with your details. | The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals. It just calls the generic ''set-certificate.pl'' script with your details. |
=== Get the Certificate === | === Get the Certificate === |
| |
:!: We use the ''manual'' plugin and the ''DNS-01'' challenge. | <note important>We must use the ''manual'' plugin and the ''DNS-01'' challenge for a LetsEncrypt wildcard certificate.</note> |
| |
Use **staging** servers for testing without limits: | Use **staging** servers for testing without limits: |
</file> | </file> |
| |
Use primary servers (not staging) to get the **actual cert**: | Use **primary** servers (not staging) to get the **actual cert**: |
| |
<file> | <file> |
</file> | </file> |
| |
<note important>You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to populate on all your DNS servers. I'd wait a full minute or more before continuing.</note> | <note important>You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing. YMMV</note> |
| |
=== List the Certificate === | === List the Certificate === |
</file> | </file> |
| |
=== Renew the Certificate === | ==== Renew the Certificate Manually ==== |
| |
We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual). | <note warning>We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).</note> |
| |
| <note warning>We must either renew manually, adding a new ''_acme-challenge'' TXT record each time, or use a DNS provider with a supported API (not shown here).</note> |
| |
| <note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note> |
| |
| <note important>You will have to **add** (not replace) a DNS TXT record for each domain and SAN specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing.</note> |
| |
^ --keep |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) | | ^ --keep |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) | |
| |
Check and renew cert if it has less than 30 days until expiry: | Check and renew cert if it has less than 30 days until expiry: |
| |
<note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note> | |
| |
FIXME | |
| |
<file> | <file> |
</file> | </file> |
| |
Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. Do this at the slave. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now. | ===== Sync SSL Cert to MailCleaner Slaves ===== |
| |
| Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. **Do this at the slave**. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now. |
| |
<file> | <file> |
</file> | </file> |
| |
=== Cron === | ===== Testing ===== |
| |
Schedule a nightly renewal check every Sunday at 2:00am: | Test the HTTPS cert from most any Linux machine: |
| |
<file> | <file> |
crontab -e | openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:443 -servername mailcleanermaster.yourtopleveldomain.tld < /dev/null |
</file> | </file> |
| |
Append this line: | Test the inbound SMTP cert: |
| |
<file> | <file> |
0 2 * * 7 /usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh | openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null |
</file> | </file> |
| |
=== Testing === | Show dates: |
| |
Test the HTTPS cert from most any Linux machine: | |
| |
<file> | <file> |
openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:443 -servername mailcleanermaster.yourtopleveldomain.tld < /dev/null | openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl x509 -noout -dates |
</file> | |
| |
Test the inbound SMTP cert: | |
| |
<file> | |
openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | |
</file> | </file> |
| |