Page 4 of 6

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Mon Feb 12, 2018 10:50 am
by Vladimir Chanaev
billmedina wrote:
Tue Jan 31, 2017 10:32 pm
ln - s /etc/letsencrypt/live/[mydomain.com]/cert.pem /usr/local/vesta/ssl/certificate.crt
ln -s /etc/letsencrypt/live/[mydomain.com]/privkey.pem /usr/local/vesta/ssl/certificate.key
service vesta restart
Thanks, the best way, if you don't need SSL for Exim.

My VestaCP under Ubunt 16.04 didn't have such paths, so the mod will be:

ln -s --force /home/[user]/conf/web/ssl.[domain.com].pem /usr/local/vesta/ssl/certificate.crt
ln -s --force /home/[user]/conf/web/ssl.[domain.com].key /usr/local/vesta/ssl/certificate.key

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Mon Feb 12, 2018 10:53 am
by ScIT
Vladimir Chanaev wrote:
Mon Feb 12, 2018 10:50 am
Thanks, the best way, if you don't need SSL for Exim.

My VestaCP under Ubunt 16.04 didn't have such paths, so the mod will be:

ln -s --force /home/[user]/conf/web/ssl.[domain.com].pem /usr/local/vesta/ssl/certificate.crt
ln -s --force /home/[user]/conf/web/ssl.[domain.com].key /usr/local/vesta/ssl/certificate.key
well, you still need to restart the vesta service, so this will still not do the full job...

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Fri Mar 16, 2018 10:48 am
by MAN5
Make symlinks (shortcuts) for crt&key files from the server's domain name SSL files. So whenever you renewing your LE cert for vesta panel's domain, it will be used by vesta:8083 automatically.

SSL for Vesta CP:
( Below script will make a shortcut for vestaCP's main crt/key files from main-domain.com domain's certs & making it executable 0644)

Code: Select all

mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate"$(date '+%Y%m%d%H%M').crt"
mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate"$(date '+%Y%m%d%H%M').key"

ln -s /home/admin/conf/web/ssl.main-domain.com.crt /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.main-domain.com.key /usr/local/vesta/ssl/certificate.key

chmod 0644 /usr/local/vesta/ssl/certificate.crt
chmod 0644 /usr/local/vesta/ssl/certificate.key
service vesta restart
If you didnt do the 0644 > you will get cert files read failed.

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Fri Mar 16, 2018 10:55 am
by youradds
This is what I use on my servers:

https://git.scit.ch/rs/VestaCP-SystemSSL

Then just setup a cron to run daily.

Andy

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Fri Mar 16, 2018 1:59 pm
by MAN5
youradds wrote:
Fri Mar 16, 2018 10:55 am
This is what I use on my servers:

https://git.scit.ch/rs/VestaCP-SystemSSL

Then just setup a cron to run daily.

Andy
But curious, why not just make it as a symlink, instead of need of another cron daily?
If there is a reason, i may follow..

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Fri Mar 16, 2018 2:30 pm
by youradds
This also does the exim4 certificates, so you can correctly connect securely to imap/pop3/smtp :)

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Sat Mar 17, 2018 5:37 am
by MAN5
youradds wrote:
Fri Mar 16, 2018 2:30 pm
This also does the exim4 certificates, so you can correctly connect securely to imap/pop3/smtp :)
Thats we set 0644 - executable permissions for root. Those certs are will be executable by exim as default.

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Sat Mar 17, 2018 6:29 am
by youradds
Ah ok. I may use that on a future server build then :) I had a lot of issues getting the SSL certs to work for the mail stuff, which is why I went for that solution.

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Sun Apr 29, 2018 5:24 am
by ScIT
MAN5 wrote:
Sat Mar 17, 2018 5:37 am
youradds wrote:
Fri Mar 16, 2018 2:30 pm
This also does the exim4 certificates, so you can correctly connect securely to imap/pop3/smtp :)
Thats we set 0644 - executable permissions for root. Those certs are will be executable by exim as default.
What do you do, if the let's encrypt cert will be regenerated (normaly after 2 months)? As far as I know, you have to restart the service(s) for providing the new cert, otherwise it will be outdated/invalid. That was also a point, to do this script, because it was the only way for now to restart affected services (in my envroiment vsftpd, vesta and exim4).

Re: Let's Encrypt for VestaCP System (8083) and exim4

Posted: Sat Jul 14, 2018 7:29 pm
by kandalf
How can we certificate multiple domains. Imagine that you have domain1.com and domain2.com and want to use on mail configurations:
mail.domain1.com
mail.domain2.com

There is any way to create a certificate that works for all domains?