GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Connect » Add SSL certificate to Kerio via CLI
Add SSL certificate to Kerio via CLI [message #132027] Wed, 28 September 2016 16:55 Go to next message
ikheetleon is currently offline  ikheetleon
Messages: 21
Registered: January 2008
Since I'm starting to switch from Startcom to Let's encrypt. I would like to know if it's possible to add SSL certificates (And intermediate certificates) to Kerio via the CLI. I'm running Centos 6 with Kerio 9.1.1.

I've already tried to add the .key and .crt files to the sslcert directory in the store. I've also add the intermediate certificate to the sslca directory. But after a restart, they don't show up in the GUI list.

When I add them manually it works just fine.

Since the certificates of Let's encrypt are only valid for 90 days, I would like to automate this.

I do however see a difference in adding a new certificate/domain to kerio and renewing the certificate.

Let's say I just want to renew an existing certificate. Would it be fine to replace the original file with a new one and restart Kerio?
Re: Add SSL certificate to Kerio via CLI [message #132034 is a reply to message #132027] Wed, 28 September 2016 17:58 Go to previous messageGo to next message
j.a.duke is currently offline  j.a.duke
Messages: 187
Registered: October 2006
A little googling of "kerio connect Let's encrypt" turned up:

https://herrbischoff.github.io/security/2016/02/02/Using-Let s-Encrypt-with-Kerio-Connect.html

I suspect you can adapt this for CentOS (I haven't tried it yet, but will likely once I get my CentOS 7 box working).

Cheers,
Jon
Re: Add SSL certificate to Kerio via CLI [message #132039 is a reply to message #132034] Thu, 29 September 2016 08:49 Go to previous messageGo to next message
ikheetleon is currently offline  ikheetleon
Messages: 21
Registered: January 2008
I already found that solution, but that's still not automated.

"Now open the admin panel, select Configuration > SSL Certificates and see your certificate appear. Select it and set is as active."

I want the ssl part to be unattended.
Re: Add SSL certificate to Kerio via CLI [message #132049 is a reply to message #132039] Thu, 29 September 2016 15:34 Go to previous messageGo to next message
j.a.duke is currently offline  j.a.duke
Messages: 187
Registered: October 2006
ikheetleon wrote on Thu, 29 September 2016 02:49
I already found that solution, but that's still not automated.

"Now open the admin panel, select Configuration > SSL Certificates and see your certificate appear. Select it and set is as active."

I want the ssl part to be unattended.

I do believe you missed this section:

Quote:
Renewal
Just run:

./letsencrypt-auto certonly --keep-until-expiring -d mail.example.com
You may want to put this in a cronjob to run every 30 days or so. If the certificate is close to expiring, it will be renewed automatically, otherwise it will be kept until the next run.


You only need the GUI for selecting the active cert (which you should only need to do once).

That solves most of the problem for 99% of the those of us running Connect.

Cheers,
Jon
icon8.gif  Re: Add SSL certificate to Kerio via CLI [message #134792 is a reply to message #132027] Fri, 24 March 2017 20:43 Go to previous messageGo to next message
koos147 is currently offline  koos147
Messages: 3
Registered: July 2011
Location: Nederland
WARNING. this scrip will uninstall your whole mailserver.
During the installation it shows stopping kerio-connect. but after this there is no mailserver anymore. the whole software package is gone!
Re: Add SSL certificate to Kerio via CLI [message #135006 is a reply to message #132027] Wed, 05 April 2017 10:32 Go to previous messageGo to next message
LEWA is currently offline  LEWA
Messages: 1
Registered: May 2012
Location: Germany
Hello,
please replace "hxxp" in this message with "http". I am NOT ALLOWED to Posts Links xD

For those who like to add Let's Encrypt Support to Kerio, which runs under Windows Server, here is how to manage it.

1a. Download xampp and only install apache. (hxxps://www.apachefriends.org)
1b. Download letsencrypt-win-simple and extract it to C:\letsencrypt-win-simple ( hxxps://github.com/Lone-Coder/letsencrypt-win-simple/release s)

2a: Add "ServerName <<your-mailserver-fqdn>>:80" to c:\xampp\apache\conf\httpd.conf
2b: Optionally change the ssl port in "C:\xampp\apache\conf\extra\httpd-ssl.conf" to for example 444 instead of 443. (so that no errors occur)

3. Disable Port 80 in Kerio Services in the Admin Interface (Port 4040)

4. Test Apache with "C:\xampp\apache_start.bat", try to access hxxp://<<your-mailserver-fqdn>>:80, stop apache with "C:\xampp\apache_start.bat"

if 4 is successfull, clean the htdocs folder of apache in order to minimize risks.

5. Then test the cert creation.

"C:\letsencrypt-win-simple\letsencrypt.exe" --manualhost <<your-mailserver-fqdn>> --webroot "C:\xampp\htdocs" --test
Follow the instructions at the prompt of the exe-file.

6. If this successfull, create the certificates. (without --test) Say YES to create the Daily Task to check and renew the certificates. You'll need it later. You should also use the same user for renewing as for creation.
"C:\letsencrypt-win-simple\letsencrypt.exe" --manualhost <<your-mailserver-fqdn>> --webroot "C:\xampp\htdocs"

They are then located here:
C:\Users\<<username>> \AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.le tsencrypt.org "

7. Copy the %DOMAINNAME%-key.pem and %DOMAINNAME%-crt.pem from this folder to a location of your choice and rename it to %DOMAINNAME%.key and %DOMAINNAME%.crt.
Import it via the Kerio Admin Interface ONCE and then activate the certificate.
The Certificates are now located here: C:\Program Files (x86)\Kerio\MailServer\sslcert
You will need the file name of the certificate and key.

8. Try to access hxxps://<<your-mailserver-fqdn>> ... perhaps try to close and open the browser or press STRG+F5.

9. If 8 is successfull, it is time to automate the rest:

10. Create a batch file under "C:\letsencrypt-win-simple". Content at the end of this post!

11. Modify the created task which runs daily:
Program: C:\Windows\SysWOW64\cmd.exe
Arguments: /c "C:\letsencrypt-win-simple\!!your-batch-file!!.bat"
Execute in: C:\letsencrypt-win-simple

12. After 61 Days... Check the C:\letsencrypt-win-simple\results-xcopy.log if the new certificates are copied correctly and that the certificates are delivered correctly by kerio!

------

The content of the batch file may be like:
:: Description: Start Apache, Renew Certificates, Copy and Rename the two files, stop the apache.
:: I think it is not neccessary to restart the kerio mailserver... 
:: Please check after 61 days the log file results-xcopy.log!!!

:: IMPORTANT! CHANGE THIS TO THE CORRECT VALUES!
set "APACHE_START=C:\xampp\apache_start.bat"
set "APACHE_STOP=C:\xampp\apache_stop.bat"
set "KERIOSSLCERTPATH=C:\Program Files (x86)\Kerio\MailServer\sslcert"
set "KERIOSSLCRTNAME=serverXXX.crt"
set "KERIOSSLKEYNAME=serverXXX.key"
set "LETSENCRYPTCERTPATH=C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org"
set "LETSENCRYPTEXEPATH=C:\letsencrypt-win-simple"
set "DOMAINNAME=my.domainname.com"

echo Step 1... Start Apache...
start /MIN "Start Apache..." CMD /C "%APACHE_START%"
echo Wait 5 Seconds for Apache!
ping -n 5 127.0.0.1 >NUL 2>&1

echo Step 2... renew certificates!
cd /D "%LETSENCRYPTEXEPATH%"
"%LETSENCRYPTEXEPATH%\letsencrypt.exe" --renew --baseuri "hxxps://acme-v01.api.letsencrypt.org/"

echo Schritt 3... Kopiere neue Zertifikate in das Entsprechende Verzeichnis
cd /D "%LETSENCRYPTCERTPATH%"
echo %date% >> "%~dp0results-xcopy.log"
:: Only copy newer files to the kerio sslcert store
:: The Asterisk is important! 
xcopy /D /Y %DOMAINNAME%-key.pem "%KERIOSSLCERTPATH%\%KERIOSSLKEYNAME%*" >> "%~dp0results-xcopy.log"
xcopy /D /Y %DOMAINNAME%-crt.pem "%KERIOSSLCERTPATH%\%KERIOSSLCRTNAME%*" >> "%~dp0results-xcopy.log"

echo Step 4...Stop Apache...
start /MIN "Stop Apache..." CMD /C "%APACHE_STOP%"



Have Fun Smile Hope i have not forgotten a step Rolling Eyes

[Updated on: Wed, 05 April 2017 10:34]

Report message to a moderator

Re: Add SSL certificate to Kerio via CLI [message #135301 is a reply to message #132027] Tue, 02 May 2017 21:34 Go to previous messageGo to next message
chrwei is currently offline  chrwei
Messages: 154
Registered: October 2009
I got it working with nginx based on https://certbot.eff.org/#ubuntuxenial-nginx and https://irulan.net/using-lets-encrypt-with-kerio-connect. symlinking did not show the cert in the gui, I had to import the cert and key manually, then replace them with the symlinks like the guide has.

I also had to increase the timeouts based on https://www.scalescale.com/tips/nginx/504-gateway-time-out-u sing-nginx/. 610 works, the rpc timeout is 10 minutes, a few seconds extra for lag.

And also increase the max body per https://nginx.org/en/docs/http/ngx_http_core_module.html#cli ent_max_body_size to allow your largest email size + some extra (I just put 100m).

it would be great if the embedded web server would simply allow the ".well-known" folder, then the "webroot" option could be used and skip the nginx hack.

[Updated on: Tue, 02 May 2017 22:49]

Report message to a moderator

Re: Add SSL certificate to Kerio via CLI [message #135436 is a reply to message #135301] Sat, 13 May 2017 14:28 Go to previous messageGo to next message
kiil is currently offline  kiil
Messages: 1
Registered: August 2006
I set up a way which involves stopping Kerio Connect for a short while and using certbot's standalone method which does not require a Webserver. Since I run a nightly backup which necessitates the server being stopped I am able to slip the setup and it's renewal process in to my procedure with out affecting downtime.

On Debian

1 Get Certbot (substitute proper URL-Atribute for "at" - I am not allowed to "use links till I have posted 5 messages")

wget at dl.eff.org/certbot-auto
chmod a+x certbot-auto


2. Run it once without any parameters to check for dependencies.

./certbot-auto


3. Create the Certificate

service kerio-connect stop && ./certbot-auto certonly --standalone -d one.example.com 


3a if additional domains add
" -d two.example.com -d three.example.com -d example.org..."
to above line

3b when running for the first time a contact email will be asked for. Enter one.

4 Create Symlinks of issued Certs so that Kerio Connect can find them:

ln -s /etc/letsencrypt/live/one.example.com/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt

ln -s /etc/letsencrypt/live/one.example.com/privkey.pem /opt/kerio/mailserver/sslcert/mail.key


5. Start Kerio Connect

service kerio-connect start 


Access Kerio Connect Admin > Configuration > SSL Certificates where your new cert will appear. Select it and set as active. If desired delete unneeded certs.

Restart your browser to view the certificate.

6. Renew

create cron job /etc/cron.d/cert-renew

nano /etc/cron.d/cert-renew


add:

0 4 * * *  root  { service kerio-connect stop && /root/certbot-auto --standalone renew; service kerio-connect start; } >/dev/null


I take advantage of fact that I stop my Kerio Connect server daily to run a backup by letting the renew process run before restarting Kerio Connect.

for example:

Quote:
service kerio-connect stop
... the backup action
/root/certbot/certbot-auto --standalone renew
service kerio-connect start

[Updated on: Sun, 14 May 2017 19:09]

Report message to a moderator

Re: Add SSL certificate to Kerio via CLI [message #136170 is a reply to message #135006] Mon, 17 July 2017 13:50 Go to previous messageGo to next message
mwgbr is currently offline  mwgbr
Messages: 41
Registered: June 2012
Thank you LEWA.
Re: Add SSL certificate to Kerio via CLI [message #140005 is a reply to message #135436] Wed, 30 May 2018 14:42 Go to previous messageGo to next message
grolon is currently offline  grolon
Messages: 3
Registered: March 2011
Location: Paraguay
Thanks for sharing, great post !
Re: Add SSL certificate to Kerio via CLI [message #140165 is a reply to message #132027] Thu, 14 June 2018 02:56 Go to previous messageGo to next message
noise is currently offline  noise
Messages: 22
Registered: August 2008
Location: Switzerland
anyone has a guide for osx and kerio ?
Re: Add SSL certificate to Kerio via CLI [message #144055 is a reply to message #140165] Fri, 28 September 2018 16:09 Go to previous messageGo to next message
kadybee is currently offline  kadybee
Messages: 12
Registered: March 2012
Location: Gold Coast, Australia
There is another option outlined here using acme.sh:

http://forums.kerio.com/?t=msg&goto=140741&0/7cca174 67240f2e797e24529f4d4383b/
Re: Add SSL certificate to Kerio via CLI [message #144135 is a reply to message #144055] Sat, 06 October 2018 02:55 Go to previous messageGo to next message
noise is currently offline  noise
Messages: 22
Registered: August 2008
Location: Switzerland
kadybee wrote on Fri, 28 September 2018 16:09
There is another option outlined here using acme.sh:

http://forums.kerio.com/?t=msg&goto=140741&0/7cca174 67240f2e797e24529f4d4383b/


Thx

anyone has testet this with OS X ?

Re: Add SSL certificate to Kerio via CLI [message #144146 is a reply to message #132027] Mon, 08 October 2018 12:12 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 224
Registered: August 2013
You can't add it as it's own certificate in an easy way. But you don't need to. Generate a certificate with Kerio, get a service running on the machine to get the lets encrypt cert and overwrite with a cronjob batch file the existing cert in kerio's cert folder with your lets encrypt one. That's it.
Re: Add SSL certificate to Kerio via CLI [message #144148 is a reply to message #144146] Mon, 08 October 2018 12:40 Go to previous messageGo to previous message
dr_bw is currently offline  dr_bw
Messages: 5
Registered: August 2018
@noise: acme.sh works under OSX as well. If your DNS provider offers a supported API, it's really quick and painless to generate a wildcard cert and you save yourself the reverse proxy on the Connect server. Sample process (for Cloudflare, but should be similar for other providers) is here:

kb.virtubox.net/knowledgebase/how-to-issue-wildcard-ssl-cert ificate-with-acme-sh-nginx/
Previous Topic: Switching from domain wide to global wide public folders
Next Topic: KOffRtfWrapper openen 10+ times
Goto Forum:
  


Current Time: Sun Feb 17 16:35:23 CET 2019

Total time taken to generate the page: 0.02768 seconds