Quick installation of SSL certificate from StartSSL in iRedMail mail server
In the daily practice of using the iRedMail mail server, it is necessary to replace SSL certificates (both during initial installation and annual change). The topic describes the process of changing SSL certificates for iRedMail from StartSSL and suggests a script that allows you to automate all the necessary actions.
If you are interested, then welcome under cat.
UDP As of 10.30.2016, the instruction has lost its relevance due to changes made by the developers of the iRedMail package.
')
On Habré already there were several posts describing the mail server data: here and here .
In short, this is a free open-source mail server with a web interface based on Postfix + Dovecot + SpamAssassin + ClamAV + Roundcube. iRedMail is easy to install and works out of the box.
Also on Habré already described the process of obtaining a free certificate from StartSSL. I would like to note that recently StartSSL changed the design. In my opinion, it has become more pleasant and simple.
But more important for me was the fact that a year ago StartSSL did not allow us to confirm the domain of the 3rd level without owning the domain of the 2nd level, but now this possibility has appeared. Those. Previously, the system did not give the opportunity to send a letter with a confirmation code to an email of the type postmaster@subdomain.domain.com, any level 3 domain required confirmation from postmaster@domain.com.
And now let's get to the bottom line.
For example, we will use example.com as the domain name. Initial data:
We put these files in one directory and perform unpacking certificates.
Convert the publisher and domain certificates from the archive into the PEM format and glue them together.
We copy the received certificates into the etc / ssl / certs / directory under standard names for iRedMail. After copying, we will change the owner of the key for Postgresql.
We get rid of the password in the RSA-key.
We copy the received RSA key into the / etc / ssl / private directory under standard names for iRedMail. After copying, we will change the owner for the Postgresql key.
Restart services:
We check server performance.
To automate all of the above, combine everything into a single script. We use $ domain as a variable.
I would be glad if this script will be useful to someone. Thanks for reading.
UDP As of 10.30.2016, the instruction has lost its relevance due to changes made by the developers of the iRedMail package.
If you are interested, then welcome under cat.
UDP As of 10.30.2016, the instruction has lost its relevance due to changes made by the developers of the iRedMail package.
')
About iRedMail
On Habré already there were several posts describing the mail server data: here and here .
In short, this is a free open-source mail server with a web interface based on Postfix + Dovecot + SpamAssassin + ClamAV + Roundcube. iRedMail is easy to install and works out of the box.
A little bit about StartSSL
Also on Habré already described the process of obtaining a free certificate from StartSSL. I would like to note that recently StartSSL changed the design. In my opinion, it has become more pleasant and simple.
But more important for me was the fact that a year ago StartSSL did not allow us to confirm the domain of the 3rd level without owning the domain of the 2nd level, but now this possibility has appeared. Those. Previously, the system did not give the opportunity to send a letter with a confirmation code to an email of the type postmaster@subdomain.domain.com, any level 3 domain required confirmation from postmaster@domain.com.
And now let's get to the bottom line.
Installing SSL certificate from StartSSL
For example, we will use example.com as the domain name. Initial data:
- example.com.key (password-protected RSA-key)
- example.com.txt (File containing the password for the RSA key)
- example.com.zip (Archive with certificates, downloaded from StartSSL)
We put these files in one directory and perform unpacking certificates.
chmod 755 ./example.com.zip unzip -o ./example.com -d ./example.com chmod -R 777 ./example.com unzip -o ./example.com/ApacheServer -d ./example.com/ApacheServer chmod -R 755 ./example.com/ApacheServer/* Convert the publisher and domain certificates from the archive into the PEM format and glue them together.
openssl x509 -in ./example.com/ApacheServer/1_root_bundle.crt -outform PEM -out ./example.com/ApacheServer/1_root_bundle.pem -text openssl x509 -in ./example.com/ApacheServer/2_example.com.crt -outform PEM -out ./example.com/ApacheServer/2_example.com.pem -text cat ./example.com/ApacheServer/2_example.com.pem ./example.com/ApacheServer/1_root_bundle.pem > ./iRedMail_CA.pem chmod 755 ./iRedMail_CA.pem We copy the received certificates into the etc / ssl / certs / directory under standard names for iRedMail. After copying, we will change the owner of the key for Postgresql.
\cp ./iRedMail_CA.pem /etc/ssl/certs/iRedMail_CA.pem chmod 644 /etc/ssl/certs/iRedMail_CA.pem \cp ./iRedMail_CA.pem /etc/ssl/certs/iRedMail_CA_PostgreSQL.pem chmod 600 /etc/ssl/certs/iRedMail_CA_PostgreSQL.pem chown postgres:postgres /etc/ssl/certs/iRedMail_CA_PostgreSQL.pem We get rid of the password in the RSA-key.
openssl rsa -in ./example.com.key -outform PEM -out ./example.com.key.unprotected -passin pass:$(cat ./example.com.txt) We copy the received RSA key into the / etc / ssl / private directory under standard names for iRedMail. After copying, we will change the owner for the Postgresql key.
\cp ./example.com.key.unprotected /etc/ssl/private/iRedMail.key chmod 644 /etc/ssl/private/iRedMail.key \cp ./example.com.key.unprotected /etc/ssl/private/iRedMail_PostgreSQL.key chmod 600 /etc/ssl/private/iRedMail_PostgreSQL.key chown postgres:postgres /etc/ssl/private/iRedMail_PostgreSQL.key Restart services:
service postgresql restart service postfix restart service dovecot restart service apache2 restart We check server performance.
To automate all of the above, combine everything into a single script. We use $ domain as a variable.
#!/bin/bash domain=example.com chmod 755 ./$domain.zip unzip -o ./${domain} -d ./${domain} chmod -R 777 ./${domain} unzip -o ./${domain}/ApacheServer -d ./${domain}/ApacheServer chmod -R 755 ./${domain}/ApacheServer/* openssl x509 -in ./${domain}/ApacheServer/1_root_bundle.crt -outform PEM -out ./${domain}/ApacheServer/1_root_bundle.pem -text openssl x509 -in ./${domain}/ApacheServer/2_${domain}.crt -outform PEM -out ./${domain}/ApacheServer/2_${domain}.pem -text cat ./${domain}/ApacheServer/2_${domain}.pem ./${domain}/ApacheServer/1_root_bundle.pem > /tmp/ssl/iRedMail_CA.pem chmod 755 /tmp/ssl/iRedMail_CA.pem \cp /tmp/ssl/iRedMail_CA.pem /etc/ssl/certs/iRedMail_CA.pem chmod 644 /etc/ssl/certs/iRedMail_CA.pem \cp /tmp/ssl/iRedMail_CA.pem /etc/ssl/certs/iRedMail_CA_PostgreSQL.pem chmod 600 /etc/ssl/certs/iRedMail_CA_PostgreSQL.pem chown postgres:postgres /etc/ssl/certs/iRedMail_CA_PostgreSQL.pem openssl rsa -in ./${domain}.key -outform PEM -out ./${domain}.key.unprotected -passin pass:$(cat ./${domain}.txt) \cp ./${domain}.key.unprotected /etc/ssl/private/iRedMail.key chmod 644 /etc/ssl/private/iRedMail.key \cp ./${domain}.key.unprotected /etc/ssl/private/iRedMail_PostgreSQL.key chmod 600 /etc/ssl/private/iRedMail_PostgreSQL.key chown postgres:postgres /etc/ssl/private/iRedMail_PostgreSQL.key service postgresql restart service postfix restart service dovecot restart service apache2 restart I would be glad if this script will be useful to someone. Thanks for reading.
UDP As of 10.30.2016, the instruction has lost its relevance due to changes made by the developers of the iRedMail package.
Source: https://habr.com/ru/post/276319/
All Articles