Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Security & SSL
  3. Articles

Deploying Let's Encrypt SSL Certificate on Linux DEB Installations

Overview


This article provides information on how to successfully deploy Let’s Encrypt SSL certificate in Kerio Connect.

Prerequisites

 

Process

  1. Modify HTTP/HTTPS services to start manually on 8800 and 8843 ports. Standard 80/443 ports will be used by Let’s Encrypt. Certbot needs ports 80 and 443 to verify the domain and get the certificate.

    certbot1.png


  2. Create a webroot directory using the following commands:
    mkdir -p /var/www/mail
    chown www-data:www-data /var/www/mail


  3. Install Nginx and SSL-cert packages with the following command:
    sudo apt-get install nginx ssl-cert

    mceclip7.png


  4. Create a file called /etc/nginx/sites-available/kerio-connect.conf with the content below. In the following command, we use the Nano text editor; you can use any other editor.

    nano kerio-connect.conf

     server {
         listen      80;
         server_name <mail.example.com>;
         server_name_in_redirect off;
         rewrite     ^ https://$server_name$request_uri? permanent;
     }


     server {
         listen      443 ssl;
         server_name <mail.example.com>;

         ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
         ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

         location /.well-known {
             alias /var/www/mail/.well-known;
         }


         location / {
             proxy_pass       https://localhost:8843;
             proxy_set_header Host                 $host;
             proxy_set_header X-Real-IP            $remote_addr;
             proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
             proxy_set_header X-Remote-Port        $remote_port;
             proxy_set_header X-Forwarded-Proto    $scheme;
             proxy_redirect  off;
         }

     }

    Note: Replace <mail.example.com> with your real Kerio Connect hostname.
  5. Link the file to make it an active site:
    ln -s /etc/nginx/sites-available/kerio-connect.conf /etc/nginx/sites-enabled/kerio-connect.conf

    mceclip1.png

  6. Check if the configuration is correct. If no errors, then restart the Nginx service.
    nginx -t
    systemctl restart nginx.service

    mceclip2.png

  7. Get Certbot - pull the Certbot file and make it executable by running the following commands:
    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto

  8. Run it once without any parameters for dependencies check:
    ./certbot-auto

    mceclip3.png

  9. Once prompted, confirm your email address, hostname, etc.
    If everything is correct, you should see Congratulations! message at the end.

    mceclip4.png


  10. Create a certificate. Replace <mail.example.com> with your hostname.
    ./certbot-auto certonly --webroot -w /var/www/mail -d <mail.example.com>


  11. Link Let's Encrypt certificate to Kerio Connect sslcert folder:

    ln -s /etc/letsencrypt/live/<mail.example.com>/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt

    ln -s /etc/letsencrypt/live/<mail.example.com>/privkey.pem /opt/kerio/mailserver/sslcert/mail.key

    mceclip5.png

  12. Log in to Kerio Connect Webadmin, navigate to Configuration > SSL Certificates to check Let’s Encrypt SSL certificate. Right-click on the required certificate and set it as Default

    certbot9.png


  13. (Optional) If you are not able to see Let’s Encrypt certificate, try restarting Kerio Connect service:
    service kerio-connect restart


  14. To renew Let’s Encrypt SSL certificate, run the following command:
    ./certbot-auto renew


  15. Let’s Encrypt certificates expire every 90 days, so it is better to automate renewal by creating a simple bash script and cron task.
    1. Copy certbot to /usr/local/bin folder:
      cp certbot-auto /usr/local/bin/

      mceclip6.png

    2. Create a script file /root/certbot-post-hook.sh with the following content:
      nano certbot-post-hook.sh

      #!/bin/sh
      systemctl restart nginx.service
      systemctl restart kerio-connect.service

      certbot10.png
    3. Make it executable and secure it:
      chmod 500 /root/certbot-post-hook.sh
      chown root:root /root/certbot-post-hook.sh

    4. Create a cronjob file in /etc/cron.d/certbot folder with the following content:

      SHELL=/bin/sh 
      PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

      0 3 * * * root perl -e 'sleep int(rand(3600))' && certbot-auto -q renew --post-hook "/root/certbot-post-hook.sh"

      certbot12.png
    5. This entry will run once a day at 3:00 AM as root, sleep for a random number of minutes, and run Certbot. The --post-hook parameter is executed only if the certificate was replaced, effectively restarting Nginx and Kerio Connect only when needed.

Confirmation


SSL certificate signed by CA (certificate authority - Let's Encrypt) should be successfully deployed to your Kerio Connect.

Related Information


Certbot instructions

 

 

Back to top

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments