We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
EMail SSL Certificate Installation
EMail SSL Certificate Installation
I don't see an option in the UI to configure the certificates for the email server. Sure would be nice if there was an option to automatically reuse the certificate created for the web server on the email server to support SSL.
Re: EMail SSL Certificate Installation
Check if the following options exist in /etc/exim4/exim4.conf.template:
You can do that like that:
Then go to /usr/local/vesta/ssl/ and symlink the pem and key files of your respective domain:
Then you have to give the user Debian-exim rights to access the certificates:
Keep in mind that your file system needs to support Unix ACLs and the certificates are regenerated every few weeks if you're using letsencrypt – you probably have to set the ACLs again in the latter case. Else you get the error "Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider." (this is for Thunderbird, other mail apps may have different errors).
Code: Select all
tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
Code: Select all
grep "tls_" /etc/exim4/exim4.conf.template
Code: Select all
ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key
Code: Select all
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key
-
- Posts: 14
- Joined: Sun Sep 24, 2017 6:00 am
Re: EMail SSL Certificate Installation
Same problem now!
Had issue with my SSL certificate which meant it made accessing the control panel impossible!
Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.
How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?
I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.
As far as I am aware .pem and .crt extension makes no difference?
Any help is massively appreciated!
Had issue with my SSL certificate which meant it made accessing the control panel impossible!
Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.
How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?
I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.
As far as I am aware .pem and .crt extension makes no difference?
Any help is massively appreciated!
Re: EMail SSL Certificate Installation
First, I want to thank you for clear instructions. Now my Vesta Admin and Exim SSL is working.
However, My SMTP port 465 is still not opened. I checked Vesta default IPtables rules and it's allowed there. For the Port 465 issue I still can't send SSL encrypted email using SMTP port 465.
Your help appreciated.
Note: replace domain.com with your SSL enabled domain name.
However, My SMTP port 465 is still not opened. I checked Vesta default IPtables rules and it's allowed there. For the Port 465 issue I still can't send SSL encrypted email using SMTP port 465.
Your help appreciated.
Run this command and it should fix your permission issue.JakeTheDog420 wrote:Same problem now!
Had issue with my SSL certificate which meant it made accessing the control panel impossible!
Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.
How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?
I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.
As far as I am aware .pem and .crt extension makes no difference?
Any help is massively appreciated!
Code: Select all
chgrp mail /home/admin/conf/web/ssl.domain.com.pem
chmod 660 /home/admin/conf/web/ssl.domain.com.pem
chgrp mail /home/admin/conf/web/ssl.domain.com.key
chmod 660 /home/admin/conf/web/ssl.domain.com.key
-
- Posts: 8
- Joined: Fri Oct 18, 2019 7:33 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: EMail SSL Certificate Installation
Thank you very much! it worked. service exmi4 wasn't enough and my problem fixed after a reboot, is there any alternative for reboot?phre4k wrote: ↑Sat May 20, 2017 10:03 amCheck if the following options exist in /etc/exim4/exim4.conf.template:You can do that like that:Code: Select all
tls_advertise_hosts = * tls_certificate = /usr/local/vesta/ssl/certificate.crt tls_privatekey = /usr/local/vesta/ssl/certificate.key
Then go to /usr/local/vesta/ssl/ and symlink the pem and key files of your respective domain:Code: Select all
grep "tls_" /etc/exim4/exim4.conf.template
Then you have to give the user Debian-exim rights to access the certificates:Code: Select all
ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key
Keep in mind that your file system needs to support Unix ACLs and the certificates are regenerated every few weeks if you're using letsencrypt – you probably have to set the ACLs again in the latter case. Else you get the error "Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider." (this is for Thunderbird, other mail apps may have different errors).Code: Select all
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key
Re: EMail SSL Certificate Installation
That solves my problem, but after a while ssl.domain.com.pem and ssl.domain.com.key have again 640 permission.sifur wrote: ↑Sun Nov 05, 2017 5:38 pmFirst, I want to thank you for clear instructions. Now my Vesta Admin and Exim SSL is working.
However, My SMTP port 465 is still not opened. I checked Vesta default IPtables rules and it's allowed there. For the Port 465 issue I still can't send SSL encrypted email using SMTP port 465.
Your help appreciated.
Run this command and it should fix your permission issue.JakeTheDog420 wrote:Same problem now!
Had issue with my SSL certificate which meant it made accessing the control panel impossible!
Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.
How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?
I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.
As far as I am aware .pem and .crt extension makes no difference?
Any help is massively appreciated!Note: replace domain.com with your SSL enabled domain name.Code: Select all
chgrp mail /home/admin/conf/web/ssl.domain.com.pem chmod 660 /home/admin/conf/web/ssl.domain.com.pem chgrp mail /home/admin/conf/web/ssl.domain.com.key chmod 660 /home/admin/conf/web/ssl.domain.com.key
Probably the certificate is renewed..
What could I do? That when the certificate is renewed to receive permission 660 automatically?
I don't think it's a good idea to put on a cronjob.