How to Configure/Install Let’s Encrypt SSL on VestaCP Mail Server and Vesta Admin – CentOS and Ubuntu
In this tutorial we’ll cover how to install valid Let’s Encrypt SSL for hostname, vestacp admin (on port 8083) and for mail server. and also configure it to auto renew.
Let’s Encrypt is free CA ssl provider with 99.99% browser compatibility, today we’ll configure Let’s Encrypt ssl for exim mail server under VestaCP. This Days Email servers are very demanding and used for newsletter and personal mailing. VestaCP have full featured email server support but it uses self-sign certificate for mail server and vesta admin login.
Lets Get Started
Step 1 :
IMP : Install VestaCP with proper hostname set (it should be the subdomain of your main domain like for this tutorial I’m using srv1.mysterydata.com as example) and should have A record DNS pointing to the server IP.
Follow this steps in order to install Let’s encrypt SSL on hostname via Vesta CP admin area :
- Login to vestaCP admin (https://srv1.mysterydata.com:8083) accept the warning about SSL
- Go to WEB section and hit EDIT which will show when you hover the mouse on hostname/subdomain
- Under Aliases remove everything from the box. eg. www.srv1.mysterydata.com
- Navigate below You’ll see “SSL Support” check box mentioned at the bottom , check the box and select/check “Lets Encrypt Support“
- Finally click on SAVE button. Upon successfully Installation of Let’s encrypt SSL for the hostname the changes will saved without any error message : “Changes have been saved.“
We’ve done 90% setup till now, next step will be just adding the Let’s Encrypt certs to admin login and with mail server. It will be easy as a pie 🙂
Step 2
Installing Let’s encrypt cert for admin login and for mail server :-
Creating cron job file to run daily :
nano /etc/cron.daily/vestassl
Now add this lines to it and save then exit :
The bellow script checks the certs and install the certs for the first time and secondly when the source certs are changed .
CENTOS/RHEL:
#!/bin/bash cert_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.pem" key_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.key" cert_dst="/usr/local/vesta/ssl/certificate.crt" key_dst="/usr/local/vesta/ssl/certificate.key" if ! cmp -s $cert_dst $cert_src then # Copy Certificate cp $cert_src $cert_dst # Copy Keyfile cp $key_src $key_dst # Change Permission chown root:mail $cert_dst chown root:mail $key_dst # Restart Services service vesta restart &> /dev/null service exim restart &> /dev/null service dovecot restart &> /dev/null fi
UBUNTU/DEBIAN :
#!/bin/bash cert_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.pem" key_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.key" cert_dst="/usr/local/vesta/ssl/certificate.crt" key_dst="/usr/local/vesta/ssl/certificate.key" if ! cmp -s $cert_dst $cert_src then # Copy Certificate cp $cert_src $cert_dst # Copy Keyfile cp $key_src $key_dst # Change Permission chown root:mail $cert_dst chown root:mail $key_dst # Restart Services service vesta restart &> /dev/null service exim4 restart &> /dev/null service dovecot restart &> /dev/null fi
***Don’t forget to change the hostname/subdomain highlighted in red
Now you need to fix the permission for the cron job file :
chmod +x /etc/cron.daily/vestassl
Step 3 :
Restarting the service and running the upper script from command line to install SSL to vesta and mail server :
sh /etc/cron.daily/vestassl
Hence the upper script will restart vesta and mail server it is also recommended to restart the vesta and mail services manually for peace of mind :
service vesta restart service exim4 restart service dovecot restart
Now login to Vesta Admin url you’ll see a valid let’s encrypt ssl is already functioning and so for mail server too.
https://srv1.mysterydata.com:8083
*Don’t forget to change the hostname/subdomain highlighted in red