Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
internet:mail:mailcleaner_ssl [2021/06/17 14:39] gcooper |
internet:mail:mailcleaner_ssl [2022/10/03 10:54] (current) gcooper |
====== MailCleaner LetsEncrypt Free SSL ====== | ====== MailCleaner LetsEncrypt Free SSL ====== |
| |
| FIXME Unfinished automated renewals |
| |
https://letsencrypt.org/ | https://letsencrypt.org/ |
===== Single Server ===== | ===== Single Server ===== |
| |
Follow this howto: | **Follow this howto**: https://opensource.com/article/20/6/secure-open-source-antispam |
| |
https://opensource.com/article/20/6/secure-open-source-antispam | |
| |
===== MailCleaner Cluster ===== | ===== MailCleaner Cluster ===== |
chmod +x /usr/local/bin/set-certificate.pl | chmod +x /usr/local/bin/set-certificate.pl |
</file> | </file> |
| |
| FIXME The ''deploylecert.sh'' script is **not used** here as only **manual renewal** is shown. |
| |
The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals. It just calls the generic ''set-certificate.pl'' script with your details. | The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals. It just calls the generic ''set-certificate.pl'' script with your details. |
</file> | </file> |
| |
<note important>You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing.</note> | <note important>You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing. YMMV</note> |
| |
=== List the Certificate === | === List the Certificate === |
</file> | </file> |
| |
==== Renew the Certificate ==== | ==== Renew the Certificate Manually ==== |
| |
<note warning>We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).</note> | <note warning>We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).</note> |
| |
<note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note> | <note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note> |
| |
| <note important>You will have to **add** (not replace) a DNS TXT record for each domain and SAN specified, two in this case. Wait for enough time for your DNS TXT records to propagate to all your DNS servers. I'd wait a full minute or more before continuing.</note> |
| |
^ --keep |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) | | ^ --keep |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) | |
| |
Check and renew cert if it has less than 30 days until expiry: | Check and renew cert if it has less than 30 days until expiry: |
| |
FIXME | |
| |
<file> | <file> |
</file> | </file> |
| |
Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. Do this at the slave. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now. | ===== Sync SSL Cert to MailCleaner Slaves ===== |
| |
| Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. **Do this at the slave**. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now. |
| |
<file> | <file> |
/root/Updater4MC/updater4mc.sh | /root/Updater4MC/updater4mc.sh |
</file> | |
| |
=== Cron === | |
| |
Schedule a nightly renewal check every Sunday at 2:00am: | |
| |
<file> | |
crontab -e | |
</file> | |
| |
Append this line: | |
| |
<file> | |
0 2 * * 7 /usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh | |
</file> | </file> |
| |
<file> | <file> |
openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null |
| </file> |
| |
| Show dates: |
| |
| <file> |
| openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl x509 -noout -dates |
</file> | </file> |
| |