Overview
This article provides information on how to successfully deploy Let’s Encrypt SSL certificate in Kerio Connect.
Note: The documented process below relates to the certbot certificate creation process and not the integrated Let's Encrypt Certificate feature added within the 9.4 release of Kerio Connect. For information about the integrated process, see Setting up the Let's Encrypt SSL certificate in Kerio Connect 9.4.
Prerequisites
- Kerio Connect installed on any Debian-based distro (e.g., Ubuntu, Debian)
- Access to Kerio Connect Webadmin and server
Process
-
Modify HTTP/HTTPS services to start manually on
8800
and8843
ports. Standard 80/443 ports will be used by Let’s Encrypt. Certbot needs ports 80 and 443 to verify the domain and get the certificate.
- Create a webroot directory using the following commands:
mkdir -p /var/www/mail
chown www-data:www-data /var/www/mail
- Install Nginx and SSL-cert packages with the following command:
sudo apt-get install nginx ssl-cert
- Create a file called
/etc/nginx/sites-available/kerio-connect.conf
with the content below. In the following command, we use the Nano text editor; you can use any other editor.nano kerio-connect.conf
server {
listen 80;
server_name <mail.example.com>;
server_name_in_redirect off;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name <mail.example.com>;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
location /.well-known {
alias /var/www/mail/.well-known;
}
location / {
proxy_pass https://localhost:8843;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
Note: Replace <mail.example.com> with your real Kerio Connect hostname. - Link the file to make it an active site:
ln -s /etc/nginx/sites-available/kerio-connect.conf /etc/nginx/sites-enabled/kerio-connect.conf
- Check if the configuration is correct. If no errors, then restart the Nginx service.
nginx -t
systemctl restart nginx.service
- Get Certbot - pull the Certbot file and make it executable by running the following commands:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
- Run it once without any parameters for dependencies check:
./certbot-auto
- Once prompted, confirm your email address, hostname, etc.
If everything is correct, you should see Congratulations! message at the end.
- Create a certificate. Replace <mail.example.com> with your hostname.
./certbot-auto certonly --webroot -w /var/www/mail -d <mail.example.com>
- Link Let's Encrypt certificate to Kerio Connect
sslcert
folder:ln -s /etc/letsencrypt/live/<mail.example.com>/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt
ln -s /etc/letsencrypt/live/<mail.example.com>/privkey.pem /opt/kerio/mailserver/sslcert/mail.key
- Log in to Kerio Connect Webadmin, navigate to Configuration > SSL Certificates to check Let’s Encrypt SSL certificate. Right-click on the required certificate and set it as Default.
- (Optional) If you are not able to see Let’s Encrypt certificate, try restarting Kerio Connect service:
service kerio-connect restart
- To renew Let’s Encrypt SSL certificate, run the following command:
./certbot-auto renew
- Let’s Encrypt certificates expire every 90 days, so it is better to automate renewal by creating a simple bash script and cron task.
- Copy certbot to
/usr/local/bin
folder:cp certbot-auto /usr/local/bin/
- Create a script file
/root/certbot-post-hook.sh
with the following content:nano certbot-post-hook.sh
#!/bin/sh
systemctl restart nginx.service
systemctl restart kerio-connect.service
- Make it executable and secure it:
chmod 500 /root/certbot-post-hook.sh
chown root:root /root/certbot-post-hook.sh
- Create a cronjob file in
/etc/cron.d/certbot
folder with the following content:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 3 * * * root perl -e 'sleep int(rand(3600))' && certbot-auto -q renew --post-hook "/root/certbot-post-hook.sh"
- This entry will run once a day at 3:00 AM as root, sleep for a random number of minutes, and run Certbot. The
--post-hook
parameter is executed only if the certificate was replaced, effectively restarting Nginx and Kerio Connect only when needed.
- Copy certbot to
Confirmation
SSL certificate signed by CA (certificate authority - Let's Encrypt) should be successfully deployed to your Kerio Connect.
Related Information