TUTORIAL: How to install SSL certificate to Vesta, Exim and dovecot daemons

[generare]

Hello,
we had already Let's encrypt done via admin but we have issues under another domain we are hosting for email services on the Vesta panel.

So, this is the situation:

We have mydomain2.fi in Linode IP xxx. And I can access the website. We are using a Vesta Control Panel in another IP address to provide only the email services for this domain. I can't get the emails arriving to the [email protected] that is located in this other Linode server (IP yyy) under vesta cpanel but I can send from there and that arrives to the receiver. I get all the time this error: "EXPIRED: Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate; certificate has expired So email is encrypted but the recipient domain is not verified" (this I can see in https://www.checktls.com/TestReceiver).

When I do check the certificate in the web browser, it is valid until June 2019. The IMAP / SMTP hostname in vesta control panel mail information is MYDOMAIN.com (it is not mail.MYDOMAIN.com). I can send emails from there, but not to receive. If I send any email from another email address I am getting this error message after few hours: <[email protected]>: host MYDOMAIN.com[ip address] said: 451 Temporary local problem - please try later (in reply to end of DATA command). I changed again the DNS info below Domains tab in Linode admin. I still have the MX settings to point to hostname MYDOMAIN.com but in A records I removed the hostname "mail" because Vesta cpanel is not using any subdomain "mail" in the settings. Should I have it or not? Instead I put as hostname MYDOMAIN.com and to the right IP address yyy. The problem is to wait for hours always after each time and nothing seems to help. I've done this for couple of weeks now. I try to study by myself and not to bother other people, but I could use some tips.

Using this service at https://www.checktls.com/TestReceiver, I get this among others (this is the only fail part):
Certificate 1 of 3 in chain: Cert VALIDATED: ok
Cert Hostname DOES NOT VERIFY (mail.MYDOMAIN.com != MYDOMAIN.com | DNS:MYDOMAIN.com | DNS:www.MYDOMAIN.com)
So email is encrypted but the host is not verified
cert not revoked by CRL
cert not revoked by OCSP

[lotnomore]

...

Now in SSH do the follwing:

Code: Select all

v-update-host-certificate admin $HOSTNAME

(change 'admin' if your hostname domain is not under 'admin' account)
This will apply just installed SSL to Vesta, Exim and dovecot daemons.

And finally run:

Code: Select all

echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf

This will tell Vesta to update SSL to Vesta, Exim and dovecot daemons every time when SSL is renewed.
This will happen automatically.

That's all.
LetsEncrypt SSL will be automatically renewed every 2 months and also automatically applied to dovecot, Exim and Vesta.

And this is completely built-in way, without additional scripts, Vesta itself do it.

This is wonderful! Better than manually editing conf files. Thank you so much !!!

[juanforce]

I was looking for this solution and finally I got this.

Thank you so much VESTA forums and community members

[Nadayan]

Thanks for this tutorial, but I still could not figure it out. Too bad to understand ( I thinik you should Repair VMDK files if possible. Some ways exist (or are easy/convenient) only on some types (the ones that are actually a dd-like image), such as monolithicFlat (which is a "pure" dd-like image) or similar.

[really]

Only partially works if you change the system's hostname. I'm not talking about the variable but actually the system's hostname (either in CP or by vesta command). Once that's done vesta is confused as hell. After several manual commands v-add-ssl-mail and -vesta (don't remember their names, it's an awful naming system), vestacp finally applied the updated hostname's ssl to mail, but for the CP itself, it insists on keeping the old ssl.

So... useful, but not quite automated or fully working.

[dpeca]

Only partially works if you change the system's hostname. I'm not talking about the variable but actually the system's hostname (either in CP or by vesta command). Once that's done vesta is confused as hell. After several manual commands v-add-ssl-mail and -vesta (don't remember their names, it's an awful naming system), vestacp finally applied the updated hostname's ssl to mail, but for the CP itself, it insists on keeping the old ssl.

So... useful, but not quite automated or fully working.

Code: Select all

v-change-sys-hostname newdomain.com

and then

Code: Select all

HOSTNAME='newdomain.com'

Then install LetsEncrypt on hostname domain (if it's not already installed), and then:

Code: Select all

v-update-host-certificate admin $HOSTNAME

(change 'admin' if your hostname domain is not under 'admin' account)

[really]

Yes, that is how you change the host using CLI commands. The issue is that if you already had 'automatic' ssl on the old hostname, once you do change, it fails. The rest of the story is in my previous comment.

Thanks for replying though :)

Also, a quick question: which part of the script https://github.com/serghey-rodin/vesta/ ... ertificate is supposed to edit

Code: Select all

/usr/local/vesta/nginx/conf/nginx.conf

?

Update: I see what's going on. The previous cron task updating the old domain is still active. If it's not a cron task it's a stupid config file that wasn't updated with the new domain name. Now if I could just find the sucker...

[dpeca]

Yes, that is how you change the host using CLI commands. The issue is that if you already had 'automatic' ssl on the old hostname, once you do change, it fails. The rest of the story is in my previous comment.

Thanks for replying though :)

Also, a quick question: which part of the script https://github.com/serghey-rodin/vesta/ ... ertificate is supposed to edit

Code: Select all

/usr/local/vesta/nginx/conf/nginx.conf

?

Update: I see what's going on. The previous cron task updating the old domain is still active. If it's not a cron task it's a stupid config file that wasn't updated with the new domain name. Now if I could just find the sucker...

But script only lay on current hostname... literally... value from /etc/hostname - there is no other 'entry'.

Process works this way:
1) vesta cron renew domains (by using official vesta LA script, there is no my script here, this is happening to all servers, via default cron
sudo /usr/local/vesta/bin/v-update-letsencrypt-ssl)
2) on the end of renewing script (when SSL is renewed) - my script is called
3) my script check if renewed domain == $HOSTNAME
4) if so, copy SSLs and restart daemons

$HOSTNAME is global BASH variable, it's taken from /etc/hostname

[really]

Yeah I looked at all cron tasks I can't find the one that takes the old domain name and overwrites /usr/local/vesta/ssl/certificate.*

Both $HOSTNAME and /etc/hostname are the new domain name which should be fine. Can't figure it out.

[vincenttan56]

I was looking for the solution and finally, I got this.