Debian IspCOnfig3 .1 I wanted an SLL certificate on my mail, because several clients says there is no certificate installed. I used this tutorial. Securing your ISP config email : https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ All is ok to I try to restart Dovecot systemctl restart dovecot I get error and the error output is this: Dec 31 12:54:51 www systemd[1]: Stopped Dovecot IMAP/POP3 email server. Dec 31 12:54:51 www systemd[1]: Starting Dovecot IMAP/POP3 email server... Dec 31 12:54:51 www dovecot[9322]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 10: ssl_cert: Can't open file /etc/postfix/smtpd.cert: No such file or dire Dec 31 12:54:51 www systemd[1]: dovecot.service: Control process exited, code=exited status=89 Dec 31 12:54:51 www systemd[1]: Failed to start Dovecot IMAP/POP3 email server. Dec 31 12:54:51 www systemd[1]: dovecot.service: Unit entered failed state. Dec 31 12:54:51 www systemd[1]: dovecot.service: Failed with result 'exit-code'. line 10 in config: ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key When I list the directory I see these two files or links just created .. lrwxrwxrwx 1 root root 60 Dec 31 12:54 smtpd.key -> /root/.acme.sh/mail.domain.com/mail.domain.com.key smtpd.cert -> /root/.acme.sh/mail.domain.com/fullchain.cer Please help so I can get this right
Are you sure you still have ISPConfig 3.1, so you did not install any updates in the past few years? Also, you might just have a different LE client (certbot), is there a /etc/letsencrypt directory on your server?
Btw. The easier solution would have been to update your system to ISPConfig 3.2 and let the updater create an SSL cert for you during the update, but this will likely fail now after you followed that old guide.
Sorry my fault. regarding ISP: Has version (Debian Stretch) ISPConfig 3.2.8p1 I have no problem updating SSL in general . I remove certificate for my mail server domain and reinstalled it just now and site loads with certificate. Is there a propper way to activate SSL for email In version 3.2.8
It is activated by default when you install it, and you can recreate the SSL cert at any time using ISPConfig updater. ispconfig_update.sh --force But this likely won't work anymore after you used the wrong procedure from that guide which is incompatible with your setup. Also, having a site for the hostname of the system prevents proper SSL renewal as acme.sh is not able to deploy an SSL cert to two destinations, so you are now stuck with a setup that you have to configure manually.
Hi and thank you for the clarification till I have a separate domain for my email server. and I created a "dummy website" to generate the SSL seritificate. Can I some place in Dovecot add some lines similar as in this tutorial so it uses autoupdated certificates ? https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 Example lines from 10-ssl.conf: ssl_cert = </etc/letsencrypt/live/YOURSITE/fullchain.pem ssl_key = </etc/letsencrypt/live/YOURSITE/privkey.pem and point the path to the site (where certificates are auto updated) Thx Ole
Sorry to Nag, would it work to point to the certificates that are autogenerated on the domain name with name of my email server? I realized as pointed out that the auto update of my certificates are properly broken and are not updated regularly. Can/ will a Ispconfig update --force maybe fix this ? Is there a big risk to break anything on a standard debit server? Thx Ole
First and foremost, remove this. You can try my removal script at https://github.com/ahrasis/LE4ISPC or do it manually. Make sure, you remove them all properly. Secondly, ensure you have only one LE client i.e. either certbot or acme.sh in your server. If you choose to use certbot, remove certbot that was installed using apt and use snap to install it. You don't need to do anything if you are using acme.sh as ISPConfig prefers it and will automatically install it in the absence of certbot. Thirdly, remove the website that is using your server fqdn as auto renewal of the LE SSL certs for the server especially ispserver.pem won't work with that. I will advise to delete the created LE certs as well as the renewal conf might already be setup with the website's settings and not the server's settings, which may cause auto renewal failure. Many do not know how to properly reconfigure it manually, so deleting the LE certs is the best option for now. This should apply to both certbot and acme.sh though it can actually work for both but with quite tedious manual work out. Finally, as advised by @till force update ISPConfig on your server, as will install the LE certs for the server fqdn and extend the same to all other services including your mail related services. Unless I missed any important steps, I think the above should suffice and work.
That's the wrong way, first, this file is not read at all by the dovecot configuration and you better do not change the config file. Instead of changing the dovecot config just symlink the SSL certs in /usr/local/ispconfig/interface/ssl/ where all services are pointing to, to the SSL cert that you want to use.
