Ok. I have spent the last 3 days to get this to work so you best gimme some kudos Create new sites on ISPconfig 3.1 "perfect server" (in this example we call these new web sites ic4.eu, smtp.ic4.eu and imap.ic4.eu) and enable Let's Encrypt SSL on these sites. You can use the default www. as alias on ic4.eu (but remember to disable www. alias on any other web site that will use the (ic4.eu) root domain address like for instance smtp.ic4.eu. Why? Because you can't have two or more websites with same address ie. www.ic4.eu.) Make sure your DNS servers have these new addresses configured. (You can use 'tail /var/log/letsencrypt/letsencrypt.log' to check for errors.) (If you don't know how to use symbolic links this how-to is not for you) Define Apache2 to use the new SSL certificate with default SSL connections. /etc/apache2/sites-available/default-ssl.conf Comment out these two certificate lines and add the new certificate paths. #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateFile /etc/letsencrypt/live/ic4.eu/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/ic4.eu/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/ic4.eu/chain.pem Define ISPconfig to use the new SSL certificate with symbolic links. /usr/local/ispconfig/interface/ssl/ ispserver.crt -> /etc/letsencrypt/live/ic4.eu/fullchain.pem ispserver.key -> /etc/letsencrypt/live/ic4.eu/privkey.pem Define Postfix to use the new SSL certificate in /etc/postfix/main.cf. smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.ic4.eu/cert.pem smtpd_tls_key_file = /etc/letsencrypt/live/smtp.ic4.eu/privkey.pem smtpd_tls_CAfile = /etc/letsencrypt/live/smtp.ic4.eu/fullchain.pem Define Dovecot to use the new SSL certificate in /etc/dovecot/dovecot.conf. ssl_cert = </etc/letsencrypt/live/imap.ic4.eu/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.ic4.eu/privkey.pem Enjoy your working SSL certificates for Postfix, SMTP(s), IMAP(s), ISPConfig, phpMyAdmin and Apache. Who's the man?
Quick question: I don't use dns on my servers, I use my domain registrar's dns. Is that going to cause a problem with Let's Encrypt?
Hi The path is not good, the certificates are incremented with each renewal ... 1 ... 2 ... 3 ..... it's : /etc/letsencrypt/live/imap.ic4.eu/.......
Please see the following initial post for postfix and dovecot: https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/ and also this following post which is slightly further down the page for an update and for pure-ftp details: https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/#post-349372
@sjau Dovecot has also POP(s) service. Not just IMAP(s). Both should have their own certs defined in the conf.
@kerrsmith Nothing new on those threads. The pure-ftp cert fix seems interesting but does not seem to improve situation.
still, why seperate certs? If you have pop.domain.tld and imap.domain.tld they can be both in one cert.
I only use POP and SMTP for my mail server which is why I only included those in my example I linked to, you can of course add any others in you require and they all end up in the same certificate. I am not sure why your FTP attempts are not working, does anything helpful show up in the error logs when you try to connect? Are you connecting using FTPS rather then SFTP as they work differently, also it should be Explicit FTP over TLS. I only ask this as the "server's host key is unknown" error sounds a bit like an SSH error message.
Thanks for your work mate, however I have a quick question, I have created a smpt.example.com website with a letsencrypt cert that I used in postfix. However, after restart postfix I noticed that I see a certificate for another site in my server that is not evern in the example.com domain but on a domain by itself. Any ideas? EDIT: Sorry for being such a noob but it appears I had not set correctly the parameters for the certificate. All is well and thanks again for your work
For the pure-ftp you need to merge private key and the full chain together, i'm using a cron job to merge them every month ;-) Code: #!/bin/bash cat /etc/letsencrypt/live/srv010.web.ichtushosting.com/fullchain.pem /etc/letsencrypt/live/srv010.web.ichtushosting.com/privkey.pem > /etc/ssl/private/srv010.letsencrypt.keyandfullchain.pem And I have a symlink from /etc/ssl/private/pure-ftpd.pem -> srv010.letsencrypt.keyandfullchain.pem
Sidenote: you can also use vhost aliases instead of full websites. That way only one certificate is generated with all the different domains ;-)
