How to add SSL certificates to existing server.
Issue #24
resolved
I have an existing installation running the latest image and I'm trying to install certificates using letsencrypt.org.
It generated my certificates (all .pem) files and now I'm trying to symlink them into my docker data folder.
The main problem I'm having is that I have no idea what names it should be having;
in ../data/ssl I am able to find 5 files;
- ca.crt
- dh1024.pem
- server.crt
- server.key
- README.md
according to that README there should be some other files in there as well(chain.crt).
Letsencrypt provides me with the following: - ca.pem - ca public keys (https://letsencrypt.org/certificates/)
- privkey.pem - private key (generated)
- cert.pem - server certificate only (generated)
- chain.pem - all certificates except server cert (Apache) (generated)
- fullchain.pem - all certificates including server cert (Nginx) (generated)
How do the two different namings and files translate to each other? I've tried to trial and error, but without much luck.
It also looks like poste.io is replacing the ca.crt everytime I restart the docker instance.
I would rather not use the GUI function because it requires having all of the files on my computer while LetsEncrypt.org opts for automation (the certs are only valid for 90 days, but with their CLI tool you can automate the renewal process)
Maybe an Idea, but you might actually be able to integrate LetsEncrypt with poste.io such that you generate a browser trusted cert instead of a self signed cert. (it only launched today, in open beta, so might still need some polish, but I think it's already possible to entirely automate that process)
Thanks for the quick help previously btw
Comments (4)
-
repo owner
-
repo owner
- changed status to resolved
Fixed README will be pushed in next realease. I'll open another ticket for supporting LE
-
reporter
Thanks for the info!
I changed all the files accordingly, but it doesn't seem to work.
It looks as if the ca.crt is being replaced on restarting the docker instance as it goes from 1675 bytes to 1310 bytes after starting the docker instance.
Not sure if it is necessary to restart the instance to load in the new certs.
The browser still reports to use a cert from 1/12/2015 (the day I created this docker instance)
Any ideas on how to get around this until there's official support for LE / cert settings in server.ini or something like that?
-
Hi @analogic I've got my whole back end set up working with SSL no problems which is fantastic and I've replaced the files within my /data/ssl as you have suggested, but maybe I've done something wrong When I run checktls, https://www.checktls.com/perl/live/TestReceiver.pl everything checks off, but I get:
[001.987]
Certificate 1 of 2 in chain:serialNumber= 2
subject= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=Server/CN=mail.mydomain.com
issuer= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=mail.mydomain.com
[001.988]
Certificate 2 of 2 in chain:
serialNumber= df:9a:94:bc:40:f0:4f:5e
subject= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=mail.mydomain.com
issuer= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=mail.mydomain.com
[001.988] Cert VALIDATION ERROR(S): self signed certificate in certificate chain
[001.988] So email is encrypted but the recipient domain is not verified
[001.988] Cert Hostname VERIFIED (mail.mydomain.com = mail.mydomain.com | EMAIL:postmaster@mail.mydomain.com)
-- Obviously mail.mydomain.com is replaced with my real domain, I'm at a loose end here, maybe it's the way I made the ca? or is there an issue? Thanks in advance :)
- Log in to comment
It should be:
ca.pem = ca.crt
server.crt = cert.pem
server.key = privkey.pem
But not yet tested LE certs, there might not be problem with webserver but there is dovecot & smtp server which uses these certs.
dh1024.pem - are pregenarated diffie hellman parameters, no need to change this file (chain.crt is not in ssl folder anymore, ill remove it from readme)
There will be definetely letsencrypt support in near future!