Super easy letsencrypt certificate creation

This section contains user-submitted tutorials.
Post Reply
palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Super easy letsencrypt certificate creation

Post by palinka » 2018-03-17 14:54

First of all, you guys have been very helpful and I'm grateful for that and the fact I have a very sweetly running HMS installation. I ran across this little tidbit and I figured here's my chance to give a little back to the community here.

Prerequisites for this tutorial: working apache on the same box that HMS is installed. I'm running HMS and xampp on windows 10. (Note: this prerequisite is not actually required, but it was the easiest way for me - explanation below).

1) Go to https://www.sslforfree.com/

The homepage has a text entry box for the domains you want to create certificates for. Please note that letsencrypt does not do wildcard certificates, so you will have to add all of your subdomains you want included in the certificate separated by a SPACE, per the instructions. i.e.:
domain.tld subdomain1.domain.tld subdomain2.domain.tld etc.domain.tld
2) Hit the "create free ssl certificate" button and it will load a section for domain verification. You have 3 options for domain verification:

* Automatic FTP verification - you set up and give sslforfree FTP credentials to log in. I did not try this. I assume it you can create an unused folder for this. I didn't want to go through this process because a) it takes longer to set up and b) I suppose there is a minor security risk.

* Manual verification - you create a folder (in the case of xampp) c:\xampp\htdocs\domain.tld\.well-known\acme-challenge into which you place a file that sslforfree creates. They will then go to http:// domain.tld/.well-known/acme-challenge/gibberishfilenamefromsslforfree to verify. I found this the easiest method because I could just drag and drop the files I downloaded.

* Manual DNS verification - you create a DNS txt record they will verify against. This could take a couple of days to propogate, so it should really be a last resort method.

3) After verification, the keys are generated (supposedly) in your browser so the sslforfree server never even sees them. If this is true, its a really awesome feature. In any case, when the keys are created, you have the option to download them in a zip file. I HIGHLY recommend you do this.

4) You need a place to put them. I suppose they can go anywhere (except your web root). Since my self signed certificates were stored in apache/conf, i created a folder there and subfolders for the different domains I created certificates for.
C:\xampp\apache\conf\certs\domain1
C:\xampp\apache\conf\certs\domain2
There are 3 files in the zip file and it took a few tries to sort these out. If you're running apache, you need to update your virtual hosts to include the correct keys. Below you'll see that certificate.crt is the certificate file, private.key is the private key (duh...) and ca_bundle.crt is the certificate chain file. I don't know whether the chain file is necessary or not. I'm far from an expert on this. Its monkey see monkey do for me and this is the setup I found after searching around the interwebs and I can confirm it does work.
<VirtualHost *:80>
DocumentRoot "X:/xampp/htdocs/domain1.tld"
ServerName domain1.tld
ServerAlias www.domain1.tld
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "X:/xampp/htdocs/domain1.tld"
SSLEngine on
SSLCertificateFile "conf/certs/domain1.tld/certificate.crt"
SSLCertificateKeyFile "conf/certs/domain1.tld/private.key"
SSLCertificateChainFile "conf/certs/domain1.tld/ca_bundle.crt"
ServerName domain1.tld
ServerAlias www.domain1.tld
</VirtualHost>
In HMS, I went to settings > advanced > SSL Certificates, clicked ADD, then added the domain name and location of the above certificates.
Name: domain1.tld
Certificate file: C:\xampp\apache\conf\certs\domain1\certificate.crt
Private key file: C:\xampp\apache\conf\certs\domain1\private.key
A couple of things to note. First of all, I have no idea whether HMS is properly set up via the certificates I'm using, so that part of the tutorial must end here. The reason is that I'm using horde activesync which uses port 443 and not any mail protocols. From there, horde connects to HMS locally, for which I do not need TLS (on the My Computer IP range). However, I can confirm that since my apache installation is correctly configured, activesync autodiscover works perfectly for automatic account setup. Before I had a working, valid certificate (using self signed certificate) activesync account setup had to be manual and the ONLY reason for that was because of the self signed certificate.

Another thing to note is when using the "manual verification" method in step 2, is make sure your apache virtual hosts is properly setup. I had a couple of errors related to that and it took a minute to figure out there was a mistake in my apache setup. Another thing is I AM NOT SURE if you NEED to have *:443 virtual host already setup with any certificate (even self signed). Since I had mine already setup that way, it worked except for the error just referenced. I found that one virtual host:443 resolved to the wrong DOMAIN NAME due to a rewrite rule in a .htaccess. So I can't say for sure whether sslforfree will look ONLY on :*80 for the verification file or whether its looks at *:443 when it exists or whether it REQUIRES :*443 to be already setup. Maybe its best to just set up the :*443 virtual hosts in advance using any self signed certificate. If nothing else, that will guarantee success.

5) Last step. ;-) sslforfree will ask you to create an account when you finish making the certificates. This is not necessary, but they will email you a week before the certificate expires. They will also have your certificate creation on file and you will be able to pull them up with the option to renew the certificate. I haven't yet tried that, but I imagine its as simple as the creation.

Additionally, for redundancy's sake, I set up a repeating calendar entry that will remind me every 85 days to renew. Letsencrypt certificates are valid for only 90 days but you can renew anytime, even the next day after you create them. That just starts the 90 clock again.

I hope this tutorial is helpful. I can say for sure that before I found sslforfree, certificate creation was incredibly frustrating and fruitless. They made it so easy that even I can do it and believe me, if I can do it, anyone can. :-)

User avatar
mattg
Moderator
Moderator
Posts: 20300
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Super easy letsencrypt certificate creation

Post by mattg » 2018-03-17 16:15

Yeah, I'd be wary of a site that displays the certificate details in a browser

And ALSO, I'd use the CA bundle cert, not just the cert by itself. You will find that the certificate is automatically accepted in your mail client with the bundle loaded.

I found letsencrypt win simple really easy with an IIS web server, but even easier in Linux with Apache. I just create a Scheduled task / CRON for automatic renewal.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Super easy letsencrypt certificate creation

Post by palinka » 2018-03-17 18:36

mattg wrote:
2018-03-17 16:15
Yeah, I'd be wary of a site that displays the certificate details in a browser
I hear you. But I simply could not get it to work any other way. Here's what they have to say about it:

Private Keys are generated in your browser and never transmitted.
For modern browsers we generate a private key in your browser using the Web Cryptography API and the private key is never transmitted. The private key also gets deleted off your browser after the certificate is generated. If your browser does not support the Web Cryptography API then the keys will be generated on the server using the latest version of OpenSSL and outputted over SSL and never stored. For the best security you are recommended to use a supported browser for client generation. You can also provide your own CSR when using manual verification in which case the private key is handled completely on your end.

And ALSO, I'd use the CA bundle cert, not just the cert by itself. You will find that the certificate is automatically accepted in your mail client with the bundle loaded.
Sorry, as you know, I'm a novice. You mean under settings > advanced > ssl certificates? Or settings > advanced > TCP/IP ports? I think I have some documentation to read.

User avatar
mattg
Moderator
Moderator
Posts: 20300
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Super easy letsencrypt certificate creation

Post by mattg » 2018-03-18 02:43

I mean where you save the cert into hmailserver
palinka wrote:
2018-03-17 14:54
There are 3 files in the zip file and it took a few tries to sort these out. If you're running apache, you need to update your virtual hosts to include the correct keys. Below you'll see that certificate.crt is the certificate file, private.key is the private key (duh...) and ca_bundle.crt is the certificate chain file. I don't know whether the chain file is necessary or not.

...

In HMS, I went to settings > advanced > SSL Certificates, clicked ADD, then added the domain name and location of the above certificates.
Name: domain1.tld
Certificate file: C:\xampp\apache\conf\certs\domain1\certificate.crt
Private key file: C:\xampp\apache\conf\certs\domain1\private.key
Use the chain file, not the individual certificate
The LetsEncrypt chain should already include the final individual certificate. With some other options you need to manually merge the chain + the individual, not with LetsEncrypt. For LetsEncrypt this is already done for you. Just choose the chain instead of the individual when you install .
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Super easy letsencrypt certificate creation

Post by palinka » 2018-03-18 03:14

Ok, will do. 8)

User avatar
Dravion
Senior user
Senior user
Posts: 1489
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Super easy letsencrypt certificate creation

Post by Dravion » 2018-03-18 16:21

Did you did this on a real Server on the Internet with Static IP and registered DNS-Domainname and valid DNS-Server entries or is your hMaiServer located behind a Routef NAT @Home or Company?

letsencrypt needs to check your HTTP Port 80 to fullfill the signing request or DNS TXT RR Entry.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: Super easy letsencrypt certificate creation

Post by jimimaseye » 2018-03-18 18:12

Dravion wrote:
2018-03-18 16:21
Did you did this on a real Server on the Internet with Static IP and registered DNS-Domainname and valid DNS-Server entries or is your hMaiServer located behind a Routef NAT @Home or Company?

letsencrypt needs to check your HTTP Port 80 to fullfill the signing request or DNS TXT RR Entry.

or....
* Manual verification - you create a folder (in the case of xampp) c:\xampp\htdocs\domain.tld\.well-known\acme-challenge into which you place a file that sslforfree creates. They will then go to http:// domain.tld/.well-known/acme-challenge/gibberishfilenamefromsslforfree to verify. I found this the easiest method because I could just drag and drop the files I downloaded.

* Manual DNS verification - you create a DNS txt record they will verify against. This could take a couple of days to propogate, so it should really be a last resort method.
Presumably that means that people that want the certificates for a system that ISNT a webserver can also have them. (It would be rather presumptuous that everyone has a web site).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
katip
Senior user
Senior user
Posts: 703
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Super easy letsencrypt certificate creation

Post by katip » 2018-03-18 19:25

jimimaseye wrote:
2018-03-18 18:12
Presumably that means that people that want the certificates for a system that ISNT a webserver can also have them. (It would be rather presumptuous that everyone has a web site).
i did this exclusively for HMS on a box which didn't have an IIS but another webserver (neither Apache).
to get rid of that 3 months MANUAL update i switched to IIS although no functional website is running on it now.
win-acme (aka letsencrypt-win-simple) does the job perfectly for now in either case.
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Super easy letsencrypt certificate creation

Post by palinka » 2018-03-18 23:37

Dravion wrote:
2018-03-18 16:21
Did you did this on a real Server on the Internet with Static IP and registered DNS-Domainname and valid DNS-Server entries or is your hMaiServer located behind a Routef NAT @Home or Company?

letsencrypt needs to check your HTTP Port 80 to fullfill the signing request or DNS TXT RR Entry.
I used Apache at home behind a router. Easy peasy.

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Super easy letsencrypt certificate creation

Post by palinka » 2018-03-30 21:22

mattg wrote:
2018-03-18 02:43
I mean where you save the cert into hmailserver
palinka wrote:
2018-03-17 14:54
There are 3 files in the zip file and it took a few tries to sort these out. If you're running apache, you need to update your virtual hosts to include the correct keys. Below you'll see that certificate.crt is the certificate file, private.key is the private key (duh...) and ca_bundle.crt is the certificate chain file. I don't know whether the chain file is necessary or not.

...

In HMS, I went to settings > advanced > SSL Certificates, clicked ADD, then added the domain name and location of the above certificates.
Name: domain1.tld
Certificate file: C:\xampp\apache\conf\certs\domain1\certificate.crt
Private key file: C:\xampp\apache\conf\certs\domain1\private.key
Use the chain file, not the individual certificate
The LetsEncrypt chain should already include the final individual certificate. With some other options you need to manually merge the chain + the individual, not with LetsEncrypt. For LetsEncrypt this is already done for you. Just choose the chain instead of the individual when you install .
Small update for this. Part of my problem comes from inexperience and not or vaguely knowing the terminology.

ca_update.crt is certificate authority. SSLforfree does not create a chain certificate. That explains why it worked in apache - by including the certificate authority as a separate (3rd) file. In hmail I made it work by copying and pasting the contents of ca_update.crt into certificate.crt (below the original).

Today I got LE win simple working and I now see that there is a separate chain certificate that apparently contains the entire chain already. Anyway, the terminology threw me and I thought I'd update.

Post Reply