1

Topic: What webroot for certbot?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0951
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MysQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
What should I specify for webroot?
I want to obtain letsencrypt certs, but I'm using cloudflare for some domains. The only way to obtain certs for cloudflare-enabled sites is by using certbot.
Should it be /var/www ?
But there are no sites there.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: What webroot for certbot?

Default is /var/www or /var/www/html. You can test by visiting your web site with a web browser.

3

Re: What webroot for certbot?

ZhangHuangbin wrote:

Default is /var/www or /var/www/html. You can test by visiting your web site with a web browser.

How do I do this?
/etc/nginx/conf.d/00-default.conf has:

root /var/www

/etc/nginx/sites-enabled/default has:

root /var/www/html
nginx -V

returns:

... --prefix=/usr/share/nginx ... 

Template files for roundcube and iredadmin lead to /opt/www with sogo being somewhere I can't figure.
I am confused. The only sites I have are the default installations of roundcube, sogo and iredadmin and I want to obtain certs for these.

4

Re: What webroot for certbot?

iRedMail uses /etc/nginx/conf.d/, not /etc/nginx/sits-enabled/. So on your system is /var/www.

5

Re: What webroot for certbot?

ZhangHuangbin wrote:

iRedMail uses /etc/nginx/conf.d/, not /etc/nginx/sits-enabled/. So on your system is /var/www.

Yes, it worked, but I had to move my domains away from cloudflare. I had followed their own instructions, but couldn't come to terms. Not much good for a mail server anyway.
I used the following command:

letsencrypt certonly --webroot -w /var/www/ --renew-by-default --email xxx@gmail.com --text --agree-tos -d mail.east-central.eu -d www.east-central.eu -d east-central.eu -d mail.domain2.pl -d mail.domain3.pl

I also made nginx read .well-known in the process, which may not have been necessary.
Al in all I've got an A-rating from https://www.ssllabs.com/ssltest/analyze … entral.eu, so I guess it's not bad.
I had tried to make 2048-bit key for dkim, but had got errors.
Would I need to have changed

"new_domain.com"  => { d => "new_domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },

accordingly?

6

Re: What webroot for certbot?

Akiba wrote:

I had tried to make 2048-bit key for dkim, but had got errors.

If you don't show us error message, i'm afraid no one can help troubleshoot.
For DKIM signing, check our tutorial:
http://www.iredmail.org/docs/sign.dkim. … omain.html