1 Topic by jaideyan

  • jaideyan
  • Member
  • Offline
  • Registered: 2017-05-17
  • Posts: 18

Topic: SSL Certificate using Letsencrypt

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I installed Letsencrpyt and I now have a green key lock on iredadmin and roundcube.
However, my website (apache) still showing not secured.  Below is the output from '/etc/httpd/conf/httpd.conf.d/ssl.conf
after I made the changes:

SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

The last line above is commented out. 

#####

Also below are the certificates from my /etc/letsencrypt/live/mydomain.com

drwxr-xr-x 2 root root  93 Jul 17 20:05 .
drwx------ 3 root root  26 Jul 17 20:05 ..
lrwxrwxrwx 1 root root  36 Jul 17 20:05 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx 1 root root  37 Jul 17 20:05 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root  41 Jul 17 20:05 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root  39 Jul 17 20:05 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
-rw-r--r-- 1 root root 543 Jul 17 20:05 README

Am I missing something?
My system is Rhel 7

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: SSL Certificate using Letsencrypt

jaideyan wrote:

Below is the output from '/etc/httpd/conf/httpd.conf.d/ssl.conf
after I made the changes:

Is it possible that some other modular Apache config files override your settings in this ssl.conf?

3 Reply by rgould

  • rgould
  • Member
  • Offline
  • Registered: 2017-07-21
  • Posts: 4

Re: SSL Certificate using Letsencrypt

When you ran certbot, did you specify ALL the pages you wanted the certificate to protect? For example,

certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

would protect example.com, www.example.com, thing.is, and m.thing.is with the same certificate. If you only specified your mail server hostname "mail.mydomain.com" and wanted "mydomain.com" to be protected, you would have to include that as well.

4 Reply by Waschl (edited by Waschl 2017-07-25 00:31:16)

  • Waschl
  • Member
  • Offline
  • From: Germany
  • Registered: 2016-02-12
  • Posts: 12

Re: SSL Certificate using Letsencrypt

Do you have a directory like /etc/httpd/sites-enabled?

If so please check if there are the configuration files for the standard http and https sites. In Debian they are named 000-default.conf and default-ssl.conf. In RHEL i dont know.. The config of the certs have to be made in the default-ssl.conf.

Otherwise you have to do it in the vhost for ssl like this:

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        <Directory /var/www/vhosts/yoursite.com/httpsdocs>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
        ServerName yoursite.com
</VirtualHost>

Hope this helps.