Topic: Lets encrypt

[gwag]

Question
- example from wiki:
domain2.com
www.domain2.com
mail.domain2.com

In my case

domain2.com             -> points to ip address of hosting service
www.domain2.com     -> points to ip address of hosting service
mail.domain2.com       -> points to ip address SME server

would I just do a "db hosts setprop mail.domain2.com letsencryptSSLcert enabled"   ??
seems like if I did it for the domain it would just fail.

Thanks in advance.

[mercyh]

give it a whirl and report back. It sounds correct to me. Not sure if the cert will create with no domain name at all or not. I have not tested it.

I do know that any domain or host name you are requesting a certificate for MUST resolve to the SME server...

[Jean-Philippe Pialasse]

Question
- example from wiki:
domain2.com
www.domain2.com
mail.domain2.com

In my case

domain2.com             -> points to ip address of hosting service
www.domain2.com     -> points to ip address of hosting service
mail.domain2.com       -> points to ip address SME server

would I just do a "db hosts setprop mail.domain2.com letsencryptSSLcert enabled"   ??
seems like if I did it for the domain it would just fail.

Thanks in advance.

for an easy and quick answer : yes

Code: [Select]

db hosts setprop mail.domain2.com letsencryptSSLcert enabled
will do the trick and allow you to have a valid SSL certificate for your SME server.


if you want to connect to the manager you will simply do
https://mail.domain2.com/server-manager

and everything will run smoothly. The same to connect to the mail with pops, imaps or smtps using mail.domain2.com, or event with webmai using https://db hosts setprop mail.domain2.com letsencryptSSLcert enabled

if you want to create also a SSL certificate for www.domain2.com and domain2.com you will need to install the dehydrated script on your hosting service or to use DNS validation amd some custom templates.

[gwag]

It did not work for me shows same old certificate and had no errors.

modSSL=service
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    TCPPort=443
    access=public
    status=enabled

Perhaps the CipherSuite line is causing issues?

[mercyh]

this is what I would do if it were mine..

Code: [Select]

config delprop modSSL CipherSuite
Not sure what all that might break though.....

https://wiki.contribs.org/Letsencrypt#Certificate_Errors

[Jean-Philippe Pialasse]

It did not work for me shows same old certificate and had no errors.

modSSL=service
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    TCPPort=443
    access=public
    status=enabled

Perhaps the CipherSuite line is causing issues?

it did not work is not enough to helpyou there.

what did you do ?
what did you expected?
what did you see?


a successfull run should look like

Code: [Select]

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Processing test9v1.canada.pialasse.com
 + Signing domains...
 + Creating new directory /etc/dehydrated/certs/test9v1.canada.pialasse.com ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for test9v1.canada.pialasse.com...
NDTzpJKFcD8OGK54CZCoRuXEAW4CEfc_V9fUFthvuJM                                                                                                                                      100%   87     0.1KB/s   00:00   
 + Responding to challenge for test9v1.canada.pialasse.com...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!
#

if you got

Code: [Select]

# dehydrated -c
#
or any variation without the "All complete
 + Done!" then you need to rerun it

[gwag]

Thank you Jean-Philippe. That was helpful. I redid the manual steps and it seems to have worked I had some permission issues. but was bale to work them out.