How to setup a Let'sEncrypt hostname certificate for VestaCP, Exim, Dovecot...

[Wibols]

This process have been tested on a CentOS 7 VPS, but should to work in others distros. In this example, we will use mail.domain.tld as our server hostname, but can be any other.

Under "VestaCP/Web/+" we create the mail.domain.tld subdomain. The only needed option is "SSL/Let'sEncript". DNS Support, Mail Support, Aliases, Proxy can be removed/unmarked.

To do the above, we can also use:

Code: Select all

ssh root@domain.tld
/usr/local/vesta/bin/v-add-domain USER DOMAIN [IP] [RESTART]
/usr/local/vesta/bin/v-add-letsencrypt-domain USER DOMAIN [ALIASES] [RESTART] [NOTIFY]

This empty web subdomain is required on every Let'sEncrypt verification process. Don't remove.

We wait for a few minutes while certificate is issued. We can check it in "VestaCP/Web/mail.domain.tld/SSL Support: Lets encrypt" info panel. Use "F5" for refresh.

Now we need to setup the system hostname for our server, verify it and a reboot is required:

Code: Select all

ssh root@domain.tld
hostnamectl set-hostname mail.domain.tld
hostnamectl
reboot

We update the VestaCP host certificate:

Code: Select all

ssh root@domain.tld
/usr/local/vesta/bin/v-update-host-certificate 'admin' $HOSTNAME

From this moment, we will need to use https://mail.domain.tld:8083/ to enter the control panel.

We add the line "UPDATE_HOSTNAME_SSL='yes'" to "/usr/local/vesta/conf/vesta.conf" file for certificate autoupdate:

Code: Select all

echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf

Don't forget to point your "PTR record" (reverse DNS) to "mail.domain.tld" in your VPS control panel. This step is important to legitimize your mail.

System, VestaCP, SMTP and IMAP/POP3 host names must be the same and match with certificate (CN) field and PTR record in DNS zone to avoid mail problems.