Recently, the self-signed certificates that I use for Postfix / Dovecot on my mailserver expired and I decided to try using Lets Encrypt to obtain certificates for them. Lets Encrypt is a fully trusted free Certificate Authority developed by a consortium of organizations to promote a more secure internet. I particularly like the fact that their process for issuing and installing certificates can be completely automated. Dealing with Comodo or DigiCert once a year is quite troublesome.
As a first step, one needs to install their certbot / lets encrypt client. I chose to go with letsencrypt.sh since this is supported on FreeBSD via the ports package management system although LE does support a multitude of clients on all kinds of languages and platforms.
Once the package is installed, head over to the configuration files located under /usr/local/etc/letsencrypt.sh/. First, we add the domains and subdomains we want to obtain certificates for:
asrivas.me mailserver.asrivas.me mail.asrivas.me
You could easily add as many domains as you like in the same file if you need to. Keep in mind that subdomains must always all appear on the same line as the root domain. Next up is the config.sh file:
CA="https://acme-v01.api.letsencrypt.org/directory" # Which challenge should be used? Currently http-01 and dns-01 are supported CHALLENGETYPE="http-01" # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) BASEDIR="/usr/local/etc/letsencrypt.sh" # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges) WELLKNOWN="/usr/local/www/apache24/data/.well-known/acme-challenge"
Some of the important fields in this config file are mentioned in the code snippet above. Pay careful attention to the WELLKNOWN directive that indicates a location under your web server’s root which will be used by Lets Encrypt to paste an ACME challenge used to verify ownership of the domain. You can setup a proxy to this location from your endpoint web server if, like me, you have your actual web server running on a different VM. I also have a web server on my email server running for hosting my webmail so I just repurposed it for the ACME challenge response.
Try out the config by running letsencrypt.sh and make sure there are no errors. The command should not show any errors and will indicate that the challenge was successful if everything was setup correctly. The next step is to install a cron job that invokes the command once every week or so and change the dovecot / postfix configurations to point to the Lets Encrypt certificates. These will be created in the /usr/local/etc/letsencrypt.sh/certs/ directory with subdirectories for each domain and its subdomains. The cert and private key are symlinks and so will be updated without any additional config changes in Postfix / Dovecot.