Modoboa is a nice all-in-one email package. Sadly it lacks configuration possibilities for certificates and the default config uses just self signed certificates. This tutorial explains how to create and configure lets encrypt for your mail server.
For this tutorial I will use
mail.justrocketscience.com as sample hostname (You have to replace it with your own). Furthermore I used Scaleway as hoster and I can recommend it. The small instance was fast enough (1,3ghz and 4 ARMv7 cores) and has enough space for a lot of mails (50GB storage).
Before you start you can test your current (maybe self-signed) certificate:
openssl s_client -connect mail.justrocketscience.com:25 -starttls smtp
modoboa uses the following files:
They are be overwritten by the following commands, so you should make backups:
cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key.old cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem.old
Debian already provides a letscrypt package and I tried to install it, but I the system had a problem by resolving the dependencies. You can intall it manually or use another client. I decided to use another letscrypt client, called acme-tiny.
To install it call the following commands:
cd /opt git clone https://github.com/diafygi/acme-tiny.git cd /opt/acme-tiny
Create Certificate Signing Request
First generate new private keys the first is the domain key used for the server and the second is for authentication with the letsencrypt service:
openssl genrsa 4096 > /etc/ssl/private/ssl-cert-snakeoil.key openssl genrsa 4096 > /etc/ssl/private/letsencrypt.key
I will create a certificate request for just a single domain:
openssl req -new -sha256 -key /etc/ssl/private/ssl-cert-snakeoil.key -subj "/CN=mail.justrocketscience.com" > /etc/ssl/mail.justrocketscience.csr
The ACME Protocoll which is used by letsencrypt uses a callback to your server to verify that you own it. So you have to modify your webserver and provide a entry point for this callback. First create a folder to host the files:
mkdir -p /var/www/challenges/
Then edit your configuration (in my case
/etc/nginx/sites-available/mail.justrocketscience.com.conf) and add the folder to your port 80-server block (exclude modrewrite from this one).
My file looks like this
The new key files will break your self singed certificate so you have to generate a new one before restarting your nginx (this is mandatory for updating your settings):
sudo openssl req -x509 -nodes -days 365 -new -key /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
After this you can restart nginx:
service nginx restart
Now you can generate the letsencrypt signed certificates like this:
python /opt/acme-tiny/acme_tiny.py --account-key /etc/ssl/private/letsencrypt.key --csr /etc/ssl/mail.justrocketscience.csr --acme-dir /var/www/challenges/ > /etc/ssl/mail.justrocketscience.crt
To use and check the certificate the root certificate is needed. So download it and add it to your certificate from letsencrypt:
cd /etc/ssl/certs wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
The follwing command will merge the CA-root certificate and the generated one and will replace the self signed one.
cat /etc/ssl/mail.justrocketscience.crt /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/certs/ssl-cert-snakeoil.pem
A new certificate is only valid for 90 days, but you can resign it. This resign process can be automated and I will update this post as soon as possible.