GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » acme.sh LetsEncrypt Certs
acme.sh LetsEncrypt Certs [message #140741] Wed, 29 August 2018 03:12
kadybee is currently offline  kadybee
Messages: 12
Registered: March 2012
Location: Gold Coast, Australia
I couldn't see any forum references to using acme.sh to provide SSL Certs to Kerio Connect. I have seen the references to installing nginx and certbot, yet not a big fan of that solution.

The first issue is that nginx proxies the server requests and (out of the box) loses the original IP address in log records - difficult for troubleshooting. Next, certbot can change the directory of where it places updated certs - and their names - and thus the renew will fail requiring changes to the created symlinks.

Acme.sh is, to me, a simpler solution, yet, as outlined here, does require the stop/start of kerio-connect - which it will do automatically as required and should take less than a minute.

This is obviously for linux based servers:

you will need to install: apt-get install socat (for standalone server operation); apt-get install wget

From the install instructions at https://acme.sh ,run: wget -O - https://get.acme.sh | sh

That's it. Now construct your single line 'issue' cert command:

/root/.acme.sh/acme.sh --issue -d <your hostname> -d <another hostname> -d <anymore required etc> --pre-hook "service kerio-connect stop" --post-hook "service kerio-connect start" --standalone --fullchain-file /opt/kerio/mailserver/sslcert/mail.crt --key-file /opt/kerio/mailserver/sslcert/mail.key


While it should be obvious: the pre-hook stops the server before getting the cert; the post-hook starts it again; the --fullchain-file and --key-file options copy the certificate into the kerio cert directory (not symlinks and the originals remain in the acme.sh folders).

Acme.sh then sets up a cron job to run daily. It should only proceed with the shutdown/restart of kerio-connect IF the cert is due for renewal (on mine the stop/issue/start process takes less than 30secs - a bit longer the first time you run to verify etc)

Hope that helps.

(NB: I have edited this from my original post which used the --reloadcmd to restart the server. I realised that if there is an error in verification or issue/renew, the script will stop and not run the reloadcmd. The example now contains the restart in --post-hook which will still run if anything else fails)

[Updated on: Fri, 28 September 2018 16:05]

Report message to a moderator

Previous Topic: New SSL Certificate Install
Next Topic: Kerio Connect 9.2.7 now available
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sat Jun 10 19:42:41 CEST 2023

Total time taken to generate the page: 0.02851 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software