Topic: updating 9.1 / new certificate issue

[georgios]

Hello,

After having upgraded to 9.1, my server issues a new Certificate from today to 1  Year! !

Thing is all my office colleagues will ask me Monday : 'what is the message in Thunderbird'

Is it normal that the SME Server from 9 -> 9.1 issues a new certificate?

thank you

[DanB35]

It is probably normal.  You can get yourself a trusted certificate for free, which will avoid browser and email client warnings.  See http://wiki.contribs.org/Letsencrypt.

[georgios]

many thanks !!!

its a new Wiki Contribs ! I did not see it before ! really looks nice, I will try,

thanks,

Georgios

[DanB35]

It's a new page in the last few days.  As the warning on the top states, it is still a work in progress, and the letsencrypt client is still in a beta state.  However, it's worked fine for me, and it's easy enough to automate renewals so your certificate won't ever expire.

[georgios]

ok Dan, last Question: is it 'verified' cert. ? I mean better than the 'typic' one from SME.

[DanB35]

Yes, it's a verified, trusted certificate.  Browse to https://www.familybrown.org to see what one looks like (the site itself is empty, but you can see the certificate in your browser).

[DanB35]

BTW, the letsencrypt service is being discussed in this thread: http://forums.contribs.org/index.php/topic,51961.0.html

[DanB35]

...and if you're at all hesitant about installing other software on your server, you can use https://gethttpsforfree.com/ to get you a letsencrypt certificate for free, through your web browser.  It'll take some messing around with openssl at the command line, but the site walks you through what you need to do.  You'd then use the instructions at http://wiki.contribs.org/Custom_CA_Certificate#configuring_your_sme_with_your_new_certificate to configure your server to use the new cert.

Since the letsencrypt certs are only good for 90 days, though, it's awfully convenient to be able to renew them every couple of months using a cron job.

[georgios]

Thanks Dan, think I will go with CACERT better, the 90 days troubles me..

When I run the script from http://wiki.contribs.org/Custom_CA_Certificate#configuring_your_sme_with_your_new_certificate I have always the result script name as 'domain.com.csr' / .key but not as my server which is 'mailsrv.domain.com'

In my folder /home/e-smith/ssl.crt/ the file are under the name 'mailsrv.domain.com.crt'

is something bad?

[DanB35]

The idea with Letsencrypt is that you'd schedule the renewal as a cron job, so the fairly short lifetime wouldn't matter--your server would automatically renew it every two months with no further intervention from you.  The wiki page has instructions for setting this up.

I'm afraid I'm not familiar enough with the cacert process to be much help.  From what I can see on that wiki page, it sounds like your certificate should cover domain.com and *.domain.com, but I could be misreading that.  If I'm reading that correctly, the name mismatch wouldn't be an issue.