Suppose we have a signed SSL certificate, or we will receive it from Let’s Encrypt, as I described in this article:
Installing Certbot in Ubuntu
To install an SSL certificate for iRedMail, you need to specify it in the Dovecot, Postfix and Apache2 configuration.
Specify the certificate in Dovecot, to do this, open the configuration file in a text editor:
sudo nano /etc/dovecot/dovecot.conf
Find the lines:
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key
And change them to your certificate (say, from Let’s Encrypt):
ssl_ca = </etc/letsencrypt/live/ixnfo.com/chain.pem
ssl_cert = </etc/letsencrypt/live/ixnfo.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/ixnfo.com/privkey.pem
The line where ssl_dh is left unchanged.
Now open the Postfix configuration:
sudo nano /etc/postfix/main.cf
Find the lines:
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
And change them to your certificate (say, from Let’s Encrypt):
smtpd_tls_key_file = /etc/letsencrypt/live/ixnfo.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/ixnfo.com/fullchain.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/ixnfo.com/chain.pem
smtpd_tls_CApath = /etc/letsencrypt/live/ixnfo.com
Well, it remains to open the configuration of Apache2:
sudo nano /etc/apache2/sites-enabled/default-ssl.conf
Find strings:
SSLCertificateFile /etc/ssl/certs/iRedMail.crt
SSLCertificateKeyFile /etc/ssl/private/iRedMail.key
And change them:
SSLCertificateFile /etc/letsencrypt/live/ixnfo.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ixnfo.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ixnfo.com/chain.pem
To apply the changes, restart Dovecot, Postfix, Apache2 and make sure that they are successfully launched:
sudo service dovecot restart
sudo service postfix restart
sudo service apache2 restart
sudo service dovecot status
sudo service postfix status
sudo service apache2 status
This completes the installation of your SSL certificate for iRedMail.
Since postfix and dovecot must be restarted after each certificate renewal, we will specify the –post-hook option for the certbot renew command, for example, in /etc/crontab:
15 7 * * 1 root certbot renew --post-hook "service postfix restart; service dovecot restart" >> /var/log/certbot-renew.log
See also my articles:
How to renew SSL certificate on iRedMail
Google error “Failed to establish SSL secure connection to host”
Thank you for your blog, but what if for multiple domains? Do you have any articles that can be read? Thank you.