1

Topic: How to setup PositiveSSL digital certificate from Comodo (solved)

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Centos 6.6
- Related log if you're reporting an issue:
====

I would like to share that to the community.

I have just purchased a PositiveSSL digital certificate from Comodo.

I received 6 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_name_server.crt
private.key
ServerCertificate.pfx

To install the certificate in iRedMail you must:
1. Backup iRedMail default certificate
cp /etc/pki/tls/certs/iRedMail_CA.pem /etc/pki/tls/certs/iRedMail_CA.pem.Backup
cp /etc/pki/tls/private/iRedMail.key /etc/pki/tls/private/iRedMail.key.Backup

2. Concatemate these three into a single file, in this particular order and name the result as certificate.pem (for example)
cat my_name_server.crt > certificate.pem
cat COMODORSADomainValidationSecureServerCA.crt >> certificate.pem
cat COMODORSAAddTrustCA.crt >> certificate.pem

After concatenation, the file should look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----

3. Overwrite /etc/pki/tls/certs/iRedMail_CA.pem with certificate.pem
mv -f certificate.pem /etc/pki/tls/certs/iRedMail_CA.pem

4. Overwrite /etc/pki/tls/private/iRedMail.key with private.key
mv -f private.key /etc/pki/tls/private/iRedMail.key

5. Restart iRedMail server to apply changes to all system services (dovecot, postfix, apache, etc...)

Best regards

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

for step 2. you could simply do:

cat my_name_server.crt + COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt  > certificate.pem

3

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Thanks for sharing. smile

4

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

pepito_palotes2000 wrote:

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Centos 6.6
- Related log if you're reporting an issue:
====

I would like to share that to the community.

I have just purchased a PositiveSSL digital certificate from Comodo.

I received 6 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_name_server.crt
private.key
ServerCertificate.pfx

To install the certificate in iRedMail you must:
1. Backup iRedMail default certificate
cp /etc/pki/tls/certs/iRedMail_CA.pem /etc/pki/tls/certs/iRedMail_CA.pem.Backup
cp /etc/pki/tls/private/iRedMail.key /etc/pki/tls/private/iRedMail.key.Backup

2. Concatemate these three into a single file, in this particular order and name the result as certificate.pem (for example)
cat my_name_server.crt > certificate.pem
cat COMODORSADomainValidationSecureServerCA.crt >> certificate.pem
cat COMODORSAAddTrustCA.crt >> certificate.pem

After concatenation, the file should look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----

3. Overwrite /etc/pki/tls/certs/iRedMail_CA.pem with certificate.pem
mv -f certificate.pem /etc/pki/tls/certs/iRedMail_CA.pem

4. Overwrite /etc/pki/tls/private/iRedMail.key with private.key
mv -f private.key /etc/pki/tls/private/iRedMail.key

5. Restart iRedMail server to apply changes to all system services (dovecot, postfix, apache, etc...)

Best regards

Has anyone successfully done this with Debian Jessie and PGSQL?

When I follow this Roundcube & admin are inaccessable via it's IP and accounts inaccessable to clients (Timing out).

Any pointers on how to troubleshoot this?

5

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Hi Jon,

We have a tutorial for you:
http://www.iredmail.org/docs/use.a.boug … icate.html

6

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Hi Zhang,

Thanks for this, I have followed this tutorial in the past when using Let's Encrypt certs and all worked fine.

For some reason the Comodo one is causing me trouble. I'll spin up a fresh server and re-try it.

7

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Jon Bellamy wrote:

Hi Zhang,

Thanks for this, I have followed this tutorial in the past when using Let's Encrypt certs and all worked fine.

For some reason the Comodo one is causing me trouble. I'll spin up a fresh server and re-try it.

I tried it again with a fresh install of apache/mySQL/debian jessie and the same thing.

Is there a reputable combination of cert that is proven to work. Let's Encrypt's 3 month renewal doesn't work for us.

8

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

I'm confused.

You should generate a key file and submit to your SSL vendor to sign it, then you should get one cert file and one bundle file from SSL vendor. You don't need to modify any of them, just copy them to proper directory, then update Postfix/Dovecot/Apache/Nginx config files to use them. That's it. Your first post in this thread implies that you modified them.

Jon Bellamy wrote:

Is there a reputable combination of cert that is proven to work. Let's Encrypt's 3 month renewal doesn't work for us.

Let's Encrypt works fine with Postfix/Dovecot/Apache/Nginx/..., why it doesn't work for you? You can renew it before expire, then restart services.

9

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

ZhangHuangbin wrote:

I'm confused.

You should generate a key file and submit to your SSL vendor to sign it, then you should get one cert file and one bundle file from SSL vendor. You don't need to modify any of them, just copy them to proper directory, then update Postfix/Dovecot/Apache/Nginx config files to use them. That's it. Your first post in this thread implies that you modified them.

Jon Bellamy wrote:

Is there a reputable combination of cert that is proven to work. Let's Encrypt's 3 month renewal doesn't work for us.

Let's Encrypt works fine with Postfix/Dovecot/Apache/Nginx/..., why it doesn't work for you? You can renew it before expire, then restart services.

I followed the instructions to copy the concatented file to the location of iRedMali_CA.pem However that file doesn't exist under a debian installation. Under these instruction I should have to modify Postfix, dove cot etc just reboot. However when I reboot I cannot even reach the admin panel via it's IP.

10

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Instead of replacing the ssl cert/key generated by iRedMail, you can simply copy to same (or different) directory, then update Postfix/Dovecot/... config files to use the correct one.

11

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

ZhangHuangbin wrote:

Instead of replacing the ssl cert/key generated by iRedMail, you can simply copy to same (or different) directory, then update Postfix/Dovecot/... config files to use the correct one.

I have tried this. same result.

Connections to the server “mail.xxxxx.com” on the default ports timed out.

Where I used the concatonated pem file instead of iRedmail.crt in Dovecot and Postix.

I didnt add the bundle line to postfix as I don't have one.

12

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Jon Bellamy wrote:

I didnt add the bundle line to postfix as I don't have one.

Then add it manually.

I configured SSL with different SSL vendors many times, all work fine. There must be some wrong steps in your setup.
It's very simple: copy your ssl key, cert, bundle files to server, then update config files to use them. that's it.

13

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

ZhangHuangbin wrote:
Jon Bellamy wrote:

I didnt add the bundle line to postfix as I don't have one.

Then add it manually.

I configured SSL with different SSL vendors many times, all work fine. There must be some wrong steps in your setup.
It's very simple: copy your ssl key, cert, bundle files to server, then update config files to use them. that's it.

Comodo don't give you a bundle file.

14 (edited by Frankstar 2017-01-06 02:25:17)

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

well you dont need the bundle file at all.

Copy the files to the correct locations

SSLCertificateFile -> /etc/pki/tls/certs/yourcertname.crt
SSLCertificateKeyFile -> /etc/pki/tls/private/yourprivatekeyname.key
SSLCACertificateFile -> /etc/pki/tls/certs/yourcacertname.crt

if you get a single file from comodo split it in seperate files.
if you get an Email with the certs in plain text -> copy them into files.

and so on.

and than adjust services (centos as example)

/etc/httpd/conf.d/ssl.conf
/etc/dovecot/dovecot.conf   
/etc/postfix/main.cf

15

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

How can install PositiveSSL digital certificate from Comodo?

I received 4 files:

AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt
SectigoRSADomainValidationSecureServerCA.crt
yourcacertname.crt

Which folder the files are copied to.... ?

I copied 4 files to /etc/pki/tls/certs

How can concatemate these three into a single file ?
I try commands cat yourcacertname.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
catyourcacertname.crt  COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt  > certificate.pem

Return: No such file or directory

16

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

Hi Iliya,

Does this tutorial help?
https://docs.iredmail.org/use.a.bought. … icate.html

17

Re: How to setup PositiveSSL digital certificate from Comodo (solved)

I tried this tutorial but nothing worked. How to install this certificate step by step ?