LetsEncrypt + Wilcard + cloudflare

This section contains user-submitted tutorials.
Post Reply
User avatar
bagu
Senior user
Senior user
Posts: 275
Joined: 2005-06-17 03:08
Location: France
Contact:

LetsEncrypt + Wilcard + cloudflare

Post by bagu » 2019-09-27 14:21

Here is a small tutorial to get Letsencrypt wildcard easily with Posh-Acme and Cloudflare (thanks to palinka)
It auto-create Cloudflare DNS TXT.
  1. Launch powershell as an admin
  2. Remove restrictions with :

    Code: Select all

    set-executionpolicy unrestricted
  3. Install Posh-ACME with this command :

    Code: Select all

    Install-Module -Name Posh-ACME
  4. Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

    Code: Select all

    Set-PAServer LE_PROD
  5. Set cloudflare param with :

    Code: Select all

    $pArgs = @{ CFAuthEmail=cloudflareemail@email.com'; CFAuthKey='cloudflarepassword' }
  6. Ask a new certificate with :

    Code: Select all

    New-PACertificate '*.domain1oncloudflare.com','*.domain2oncloudflare.org' -AcceptTOS -Contact my@email.com -DnsPlugin Cloudflare -PluginArgs $pArgs -Verbose
  7. Follow screen instructions on powershell
  8. Then, search your certificate with :

    Code: Select all

    Get-PACertificate | fl
  9. Get cert.key as key and fullchain.cer as public certificate and insert them in Hmailserver
Then, you can make a planned task to renew the certificate every 85days with a script witch contain :

Code: Select all

Submit-Renewal -PluginArgs @{CFAuthEmail='cloudflareemail@email.com'; CFAuthKey='cloudflarepassword'}

Don't forget to get the renewed certificate and copy them to the folder where hmailserver is set to get them.
And, don't forget to restart hmailserver

I will put here an example of script wich renew, copy and restart hmailserver later.

If you have any tips to improve or modify this tutorial, do not hesitate to propose your modifications.
hMailServer 5.6.8 With SpamAssassin 3.4.4

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: LetsEncrypt + Wilcard + cloudflare

Post by palinka » 2019-09-27 15:07

đź‘Ť

User avatar
bagu
Senior user
Senior user
Posts: 275
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: LetsEncrypt + Wilcard + cloudflare

Post by bagu » 2020-05-20 00:39

Update !

The old method seem to don't work anymore.
Here is the new way to do this working :

First, follow this on cloudflare:
  • In the API Tokens section, click Create Token
  • Give it a name such as 'DNS edit all zones'
  • Add the following permissions:
    • Zone - DNS - Edit
    • Zone - Zone - Read
  • Set the following Zone Resources:
    • Include - All Zones
  • Click Continue to summary
  • Click Create Token
  • This is your token. Copy it for later because it can't be retrieved after leaving this page. You must generate a new value if you forget the old one.
From : https://github.com/rmbolger/Posh-ACME/b ... -Readme.md

Then, next steps are quite the same :
  1. Launch powershell as an admin
  2. Remove restrictions with :

    Code: Select all

    set-executionpolicy unrestricted
  3. Install Posh-ACME with this command :

    Code: Select all

    Install-Module -Name Posh-ACME
    If you wish to update Posh-Acme, type :

    Code: Select all

    Update-Module -Name Posh-ACME
  4. Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

    Code: Select all

    Set-PAServer LE_PROD
  5. Set cloudflare param with :

    Code: Select all

    $pArgs = @{ CFTokenInsecure = 'Poshedit-token' }
    $pArgs.CFTokenReadAllInsecure = 'Poshread-token'
    Replace Poshedit-token and Poshread-token by your tokens
  6. Ask a new certificate with :

    Code: Select all

    New-PACertificate 'site1.fr','site2.fr','*.site1.fr','*.site2.fr' -AcceptTOS -Contact yourcloudflare@email.fr -DnsPlugin Cloudflare -PluginArgs $pArgs -Verbose
  7. Follow screen instructions on powershell
  8. Then, search your certificate with :

    Code: Select all

    Get-PACertificate | fl
  9. Get cert.key as key and fullchain.cer as public certificate and insert them in Hmailserver
To refresh your certificate, you can use this batch (and laucnch it by scheduled task):
%localappdata%\Posh-ACME\acme-v02.api.letsencrypt.org\IdOfYourPosh-ACMEDirectory\!NameOfCertPath = get from Get-PACertificate | fl command
Replace Poshedit-token and Poshread-token by your tokens
Replace PathToYourCertificates by the certificate location folder where HmailServer pick your certificate

Code: Select all

<# : Begin batch (batch script is in commentary of powershell v2.0+)
@echo off
: Use local variables
setlocal
: Change current directory to script location - usefull for including .ps1 files
cd %~dp0
: Invoke this file as powershell expression
powershell -executionpolicy remotesigned -Command "Invoke-Expression $([System.IO.File]::ReadAllText('%~f0'))"
: Restore environment variables present before setlocal and restore current directory
endlocal
: End batch - go to end of file
set orgpath=%localappdata%\Posh-ACME\acme-v02.api.letsencrypt.org\IdOfYourPosh-ACMEDirectory\!NameOfCertPath
set destpath=C:\PathToYourCertificates\
net stop hmailserver
robocopy %orgpath% %destpath% *.pfx *.cer *.key /is
certutil -addstore -f "My" "%destpath%\chain.cer"
net start hmailserver
timeout 60
goto:eof
#>
# here start your powershell script

Set-PSRepository -Name "PSGallery" -installationpolicy Trusted

# Update Posh-ACME
Update-Module -Name Posh-ACME

# Update certificates
$pArgs = @{ CFTokenInsecure = 'Poshedit-token' }
$pArgs.CFTokenReadAllInsecure = 'Poshread-token'
Submit-Renewal -PluginArgs $pArgs -Verbose
Hope it can help.
If you have some idea, you're welcome.
The batch can be use to update certificate form apache.
I also use mailsend command to send a notification when the certificate is renewed.

You must set site1.fr AND *.site1.fr to avoid some weird problems on apache for example. ("server certificate does NOT include an ID which matches the server name")
hMailServer 5.6.8 With SpamAssassin 3.4.4

b8engl
New user
New user
Posts: 2
Joined: 2020-03-06 16:38
Location: Portugal

Re: LetsEncrypt + Wilcard + cloudflare

Post by b8engl » 2020-06-01 15:36

Thanks for pointing me to the right direction, but I think you can improve the tutorial!

Install Posh-ACME with this command :

Code: Select all

Install-Module -Name Posh-ACME -Scope CurrentUser
If you wish to update Posh-Acme, type :

Code: Select all

iex (irm https://raw.githubusercontent.com/rmbolger/Posh-ACME/master/instdev.ps1)
Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

Code: Select all

Set-PAServer LE_PROD
Ask a new certificate with :

Code: Select all

New-PACertificate '*.one.pt','one.pt','*.two.pt','two.pt' -AcceptTOS -Contact yourPersonalEmail -DnsPlugin Cloudflare -PluginArgs @{CFAuthEmail='yourClouflareEmail'; CFAuthKey='yourGlobalAPIKey'} -Verbose

User avatar
bagu
Senior user
Senior user
Posts: 275
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: LetsEncrypt + Wilcard + cloudflare

Post by bagu » 2020-06-01 15:47

First, thanks for your contribution.

Then,

Can you explain why you add

Code: Select all

-Scope CurrentUser
? For which benefit ?

Also, why using

Code: Select all

iex (irm https://raw.githubusercontent.com/rmbolger/Posh-ACME/master/instdev.ps1)
while

Code: Select all

Update-Module -Name Posh-ACME
seem easier ?

Code: Select all

Set-PAServer LE_PROD
-> Yes ! Mistake in my post, but i can't edit anymore :cry:

Code: Select all

New-PACertificate '*.one.pt','one.pt','*.two.pt','two.pt' -AcceptTOS -Contact yourPersonalEmail -DnsPlugin Cloudflare -PluginArgs @{CFAuthEmail='yourClouflareEmail'; CFAuthKey='yourGlobalAPIKey'} -Verbose
As i say just before, the method with CFAuthEmail/CFAuthKey seem to don't work everytime.
I used it before it stop to work.
hMailServer 5.6.8 With SpamAssassin 3.4.4

b8engl
New user
New user
Posts: 2
Joined: 2020-03-06 16:38
Location: Portugal

Re: LetsEncrypt + Wilcard + cloudflare

Post by b8engl » 2020-06-01 16:11

I don't think that you will pull an update if you download the latest version, so that's why I included the correct method to use the development instead the latest stable release.

Plus, explaining to use production server as Set-PAServer LE_STAGE is wronge! The correct method is Set-PAServer LE_PROD

Additional, the Set-PAServer LE_PROD has a limit for 50 certificates for week (letsencrypt limit rate), so that's why is recomende to use Set-PAServer LE_STAGE for testing purpose.

Your wellcome!

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: LetsEncrypt + Wilcard + cloudflare

Post by jimimaseye » 2020-06-01 21:15

bagu wrote: ↑
2020-06-01 15:47

Code: Select all

Set-PAServer LE_PROD
-> Yes ! Mistake in my post, but i can't edit anymore
I have amended the first post to reflect this.

Mod.
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply