In our previous guides, we saw how one can install and configure iRedMail Server. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.
When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.
In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.
Step 1: Obtain Let’s Encrypt Certificate
Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.
# Install certbot on Ubuntu /Debian
sudo apt update && sudo apt install certbot
# Install certbot on CentOS / Rocky
sudo yum -y install epel-release
sudo yum -y install certbot
After installing certbot-auto tool, save the email address and the domain for iRedMail server.
DOMAIN="mail.computingforgeeks.com"
EMAIL="[email protected]"
Stop Nginx service.
sudo systemctl stop nginx
The obtain a free Let’s Encrypt certificate for iRedMail mail server.
sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
The standard successful message for Let’s Encrypt outputs path to your certificates.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.computingforgeeks.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.computingforgeeks.com/privkey.pem
Your cert will expire on 2023-06-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Step 2: Replace iRedMail Self-signed certificates
Rename iRedMail.crt self-signed certificate and Private key.
sudo mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
sudo mv /etc/pki/tls/private/iRedMail.key{,.bak}
Create a symlink for the Let’s Encrypt certificate and private key.
sudo ln -sf /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
sudo ln -sf /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/pki/tls/private/iRedMail.key
Restart your iRedMail server for services to use new certificate.
sudo reboot
Step 3: Set Certificate Automatic renewal
Create a cron job to automatically renew Let’s Encrypt certificates:
$ sudo crontab -e
# Renew Let's Encrypt certs
15 3 * * * /usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.
Ok, but where do i must save the domain and email, what path and what kind of file, no explanation of it
Hi Victor,
Can you rephrase the question?. I didn’t get your point.
I am running iredmail with more than one domain. How do I install multiple certificates, one per domain?
What???? just one coffee? mate i sent you a couple!! you literally saved my life.
Awesome. Thank you!
My current iRedmail server is behind a reverse proxy (Nginx Proxy Manager) to expose the web interface at 443. Unfortunately it’s still using the self signed cert for ports 587 and 25 so some self-hosted services like Peertube and Nextcloud will not allow me to use my iRm email credentials for those configs because “warning – self signed cert” errors. How would I resolve this?
Did you confirm that no step missed?