LetsEncrypt + Wilcard + cloudflare

This section contains user-submitted tutorials.
Post Reply
User avatar
bagu
Normal user
Normal user
Posts: 217
Joined: 2005-06-17 03:08
Location: France
Contact:

LetsEncrypt + Wilcard + cloudflare

Post by bagu » 2019-09-27 14:21

Here is a small tutorial to get Letsencrypt wildcard easily with Posh-Acme and Cloudflare (thanks to palinka)
It auto-create Cloudflare DNS TXT.
  1. Launch powershell as an admin
  2. Remove restrictions with :

    Code: Select all

    set-executionpolicy unrestricted
  3. Install Posh-ACME with this command :

    Code: Select all

    Install-Module -Name Posh-ACME
  4. Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

    Code: Select all

    Set-PAServer LE_STAGE
  5. Set cloudflare param with :

    Code: Select all

    $pArgs = @{ CFAuthEmail=cloudflareemail@email.com'; CFAuthKey='cloudflarepassword' }
  6. Ask a new certificate with :

    Code: Select all

    New-PACertificate '*.domain1oncloudflare.com','*.domain2oncloudflare.org' -AcceptTOS -Contact my@email.com -DnsPlugin Cloudflare -PluginArgs $pArgs -Verbose
  7. Follow screen instructions on powershell
  8. Then, search your certificate with :

    Code: Select all

    Get-PACertificate | fl
  9. Get cert.key as key and fullchain.cer as public certificate and insert them in Hmailserver
Then, you can make a planned task to renew the certificate every 85days with a script witch contain :

Code: Select all

Submit-Renewal -PluginArgs @{CFAuthEmail='cloudflareemail@email.com'; CFAuthKey='cloudflarepassword'}

Don't forget to get the renewed certificate and copy them to the folder where hmailserver is set to get them.
And, don't forget to restart hmailserver

I will put here an example of script wich renew, copy and restart hmailserver later.

If you have any tips to improve or modify this tutorial, do not hesitate to propose your modifications.
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: LetsEncrypt + Wilcard + cloudflare

Post by palinka » 2019-09-27 15:07

đź‘Ť

User avatar
bagu
Normal user
Normal user
Posts: 217
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: LetsEncrypt + Wilcard + cloudflare

Post by bagu » 2020-05-20 00:39

Update !

The old method seem to don't work anymore.
Here is the new way to do this working :

First, follow this on cloudflare:
  • In the API Tokens section, click Create Token
  • Give it a name such as 'DNS edit all zones'
  • Add the following permissions:
    • Zone - DNS - Edit
    • Zone - Zone - Read
  • Set the following Zone Resources:
    • Include - All Zones
  • Click Continue to summary
  • Click Create Token
  • This is your token. Copy it for later because it can't be retrieved after leaving this page. You must generate a new value if you forget the old one.
From : https://github.com/rmbolger/Posh-ACME/b ... -Readme.md

Then, next steps are quite the same :
  1. Launch powershell as an admin
  2. Remove restrictions with :

    Code: Select all

    set-executionpolicy unrestricted
  3. Install Posh-ACME with this command :

    Code: Select all

    Install-Module -Name Posh-ACME
    If you wish to update Posh-Acme, type :

    Code: Select all

    Update-Module -Name Posh-ACME
  4. Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

    Code: Select all

    Set-PAServer LE_STAGE
  5. Set cloudflare param with :

    Code: Select all

    $pArgs = @{ CFTokenInsecure = 'Poshedit-token' }
    $pArgs.CFTokenReadAllInsecure = 'Poshread-token'
    Replace Poshedit-token and Poshread-token by your tokens
  6. Ask a new certificate with :

    Code: Select all

    New-PACertificate 'site1.fr','site2.fr','*.site1.fr','*.site2.fr' -AcceptTOS -Contact yourcloudflare@email.fr -DnsPlugin Cloudflare -PluginArgs $pArgs -Verbose
  7. Follow screen instructions on powershell
  8. Then, search your certificate with :

    Code: Select all

    Get-PACertificate | fl
  9. Get cert.key as key and fullchain.cer as public certificate and insert them in Hmailserver
To refresh your certificate, you can use this batch (and laucnch it by scheduled task):
%localappdata%\Posh-ACME\acme-v02.api.letsencrypt.org\IdOfYourPosh-ACMEDirectory\!NameOfCertPath = get from Get-PACertificate | fl command
Replace Poshedit-token and Poshread-token by your tokens
Replace PathToYourCertificates by the certificate location folder where HmailServer pick your certificate

Code: Select all

<# : Begin batch (batch script is in commentary of powershell v2.0+)
@echo off
: Use local variables
setlocal
: Change current directory to script location - usefull for including .ps1 files
cd %~dp0
: Invoke this file as powershell expression
powershell -executionpolicy remotesigned -Command "Invoke-Expression $([System.IO.File]::ReadAllText('%~f0'))"
: Restore environment variables present before setlocal and restore current directory
endlocal
: End batch - go to end of file
set orgpath=%localappdata%\Posh-ACME\acme-v02.api.letsencrypt.org\IdOfYourPosh-ACMEDirectory\!NameOfCertPath
set destpath=C:\PathToYourCertificates\
net stop hmailserver
robocopy %orgpath% %destpath% *.pfx *.cer *.key /is
certutil -addstore -f "My" "%destpath%\chain.cer"
net start hmailserver
timeout 60
goto:eof
#>
# here start your powershell script

Set-PSRepository -Name "PSGallery" -installationpolicy Trusted

# Update Posh-ACME
Update-Module -Name Posh-ACME

# Update certificates
$pArgs = @{ CFTokenInsecure = 'Poshedit-token' }
$pArgs.CFTokenReadAllInsecure = 'Poshread-token'
Submit-Renewal -PluginArgs $pArgs -Verbose
Hope it can help.
If you have some idea, you're welcome.
The batch can be use to update certificate form apache.
I also use mailsend command to send a notification when the certificate is renewed.

You must set site1.fr AND *.site1.fr to avoid some weird problems on apache for example. ("server certificate does NOT include an ID which matches the server name")
hMailServer 5.6.8 With SpamAssassin 3.4.2

Post Reply