| Add SSL certificate to Kerio via CLI [message #132027] |
Wed, 28 September 2016 16:55  |
ikheetleon
Messages: 31
Registered: January 2008
|
|
|
|
Since I'm starting to switch from Startcom to Let's encrypt. I would like to know if it's possible to add SSL certificates (And intermediate certificates) to Kerio via the CLI. I'm running Centos 6 with Kerio 9.1.1.
I've already tried to add the .key and .crt files to the sslcert directory in the store. I've also add the intermediate certificate to the sslca directory. But after a restart, they don't show up in the GUI list.
When I add them manually it works just fine.
Since the certificates of Let's encrypt are only valid for 90 days, I would like to automate this.
I do however see a difference in adding a new certificate/domain to kerio and renewing the certificate.
Let's say I just want to renew an existing certificate. Would it be fine to replace the original file with a new one and restart Kerio?
|
|
|
|
|
|
|
|
| Re: Add SSL certificate to Kerio via CLI [message #132049 is a reply to message #132039] |
Thu, 29 September 2016 15:34  |
j.a.duke
Messages: 239
Registered: October 2006
|
|
|
|
ikheetleon wrote on Thu, 29 September 2016 02:49I already found that solution, but that's still not automated.
"Now open the admin panel, select Configuration > SSL Certificates and see your certificate appear. Select it and set is as active."
I want the ssl part to be unattended.
I do believe you missed this section:
Quote:Renewal
Just run:
./letsencrypt-auto certonly --keep-until-expiring -d mail.example.com
You may want to put this in a cronjob to run every 30 days or so. If the certificate is close to expiring, it will be renewed automatically, otherwise it will be kept until the next run.
You only need the GUI for selecting the active cert (which you should only need to do once).
That solves most of the problem for 99% of the those of us running Connect.
Cheers,
Jon
|
|
|
|
|
|
| Re: Add SSL certificate to Kerio via CLI [message #135006 is a reply to message #132027] |
Wed, 05 April 2017 10:32 |
LEWA
Messages: 1
Registered: May 2012
Location: Germany
|
|
|
|
Hello,
please replace "hxxp" in this message with "http". I am NOT ALLOWED to Posts Links xD
For those who like to add Let's Encrypt Support to Kerio, which runs under Windows Server, here is how to manage it.
1a. Download xampp and only install apache. (hxxps://www.apachefriends.org)
1b. Download letsencrypt-win-simple and extract it to C:\letsencrypt-win-simple ( hxxps://github.com/Lone-Coder/letsencrypt-win-simple/release s)
2a: Add "ServerName <<your-mailserver-fqdn>>:80" to c:\xampp\apache\conf\httpd.conf
2b: Optionally change the ssl port in "C:\xampp\apache\conf\extra\httpd-ssl.conf" to for example 444 instead of 443. (so that no errors occur)
3. Disable Port 80 in Kerio Services in the Admin Interface (Port 4040)
4. Test Apache with "C:\xampp\apache_start.bat", try to access hxxp://<<your-mailserver-fqdn>>:80, stop apache with "C:\xampp\apache_start.bat"
if 4 is successfull, clean the htdocs folder of apache in order to minimize risks.
5. Then test the cert creation.
"C:\letsencrypt-win-simple\letsencrypt.exe" --manualhost <<your-mailserver-fqdn>> --webroot "C:\xampp\htdocs" --test
Follow the instructions at the prompt of the exe-file.
6. If this successfull, create the certificates. (without --test) Say YES to create the Daily Task to check and renew the certificates. You'll need it later. You should also use the same user for renewing as for creation.
"C:\letsencrypt-win-simple\letsencrypt.exe" --manualhost <<your-mailserver-fqdn>> --webroot "C:\xampp\htdocs"
They are then located here:
C:\Users\<<username>> \AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.le tsencrypt.org "
7. Copy the %DOMAINNAME%-key.pem and %DOMAINNAME%-crt.pem from this folder to a location of your choice and rename it to %DOMAINNAME%.key and %DOMAINNAME%.crt.
Import it via the Kerio Admin Interface ONCE and then activate the certificate.
The Certificates are now located here: C:\Program Files (x86)\Kerio\MailServer\sslcert
You will need the file name of the certificate and key.
8. Try to access hxxps://<<your-mailserver-fqdn>> ... perhaps try to close and open the browser or press STRG+F5.
9. If 8 is successfull, it is time to automate the rest:
10. Create a batch file under "C:\letsencrypt-win-simple". Content at the end of this post!
11. Modify the created task which runs daily:
Program: C:\Windows\SysWOW64\cmd.exe
Arguments: /c "C:\letsencrypt-win-simple\!!your-batch-file!!.bat"
Execute in: C:\letsencrypt-win-simple
12. After 61 Days... Check the C:\letsencrypt-win-simple\results-xcopy.log if the new certificates are copied correctly and that the certificates are delivered correctly by kerio!
------
The content of the batch file may be like:
:: Description: Start Apache, Renew Certificates, Copy and Rename the two files, stop the apache.
:: I think it is not neccessary to restart the kerio mailserver...
:: Please check after 61 days the log file results-xcopy.log!!!
:: IMPORTANT! CHANGE THIS TO THE CORRECT VALUES!
set "APACHE_START=C:\xampp\apache_start.bat"
set "APACHE_STOP=C:\xampp\apache_stop.bat"
set "KERIOSSLCERTPATH=C:\Program Files (x86)\Kerio\MailServer\sslcert"
set "KERIOSSLCRTNAME=serverXXX.crt"
set "KERIOSSLKEYNAME=serverXXX.key"
set "LETSENCRYPTCERTPATH=C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org"
set "LETSENCRYPTEXEPATH=C:\letsencrypt-win-simple"
set "DOMAINNAME=my.domainname.com"
echo Step 1... Start Apache...
start /MIN "Start Apache..." CMD /C "%APACHE_START%"
echo Wait 5 Seconds for Apache!
ping -n 5 127.0.0.1 >NUL 2>&1
echo Step 2... renew certificates!
cd /D "%LETSENCRYPTEXEPATH%"
"%LETSENCRYPTEXEPATH%\letsencrypt.exe" --renew --baseuri "hxxps://acme-v01.api.letsencrypt.org/"
echo Schritt 3... Kopiere neue Zertifikate in das Entsprechende Verzeichnis
cd /D "%LETSENCRYPTCERTPATH%"
echo %date% >> "%~dp0results-xcopy.log"
:: Only copy newer files to the kerio sslcert store
:: The Asterisk is important!
xcopy /D /Y %DOMAINNAME%-key.pem "%KERIOSSLCERTPATH%\%KERIOSSLKEYNAME%*" >> "%~dp0results-xcopy.log"
xcopy /D /Y %DOMAINNAME%-crt.pem "%KERIOSSLCERTPATH%\%KERIOSSLCRTNAME%*" >> "%~dp0results-xcopy.log"
echo Step 4...Stop Apache...
start /MIN "Stop Apache..." CMD /C "%APACHE_STOP%"
Have Fun  Hope i have not forgotten a step 
[Updated on: Wed, 05 April 2017 10:34] Report message to a moderator |
|
|
|
|
|
| Re: Add SSL certificate to Kerio via CLI [message #135436 is a reply to message #135301] |
Sat, 13 May 2017 14:28 |
kiil
Messages: 1
Registered: August 2006
|
|
|
|
I set up a way which involves stopping Kerio Connect for a short while and using certbot's standalone method which does not require a Webserver. Since I run a nightly backup which necessitates the server being stopped I am able to slip the setup and it's renewal process in to my procedure with out affecting downtime.
On Debian
1 Get Certbot (substitute proper URL-Atribute for "at" - I am not allowed to "use links till I have posted 5 messages")
wget at dl.eff.org/certbot-auto
chmod a+x certbot-auto
2. Run it once without any parameters to check for dependencies.
3. Create the Certificate
service kerio-connect stop && ./certbot-auto certonly --standalone -d one.example.com
3a if additional domains add
" -d two.example.com -d three.example.com -d example.org..."
3b when running for the first time a contact email will be asked for. Enter one.
4 Create Symlinks of issued Certs so that Kerio Connect can find them:
ln -s /etc/letsencrypt/live/one.example.com/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt
ln -s /etc/letsencrypt/live/one.example.com/privkey.pem /opt/kerio/mailserver/sslcert/mail.key
5. Start Kerio Connect
service kerio-connect start
Access Kerio Connect Admin > Configuration > SSL Certificates where your new cert will appear. Select it and set as active. If desired delete unneeded certs.
Restart your browser to view the certificate.
6. Renew
create cron job /etc/cron.d/cert-renew
nano /etc/cron.d/cert-renew
add:
0 4 * * * root { service kerio-connect stop && /root/certbot-auto --standalone renew; service kerio-connect start; } >/dev/null
I take advantage of fact that I stop my Kerio Connect server daily to run a backup by letting the renew process run before restarting Kerio Connect.
for example:
Quote:service kerio-connect stop
... the backup action
/root/certbot/certbot-auto --standalone renew
service kerio-connect start
[Updated on: Sun, 14 May 2017 19:09] Report message to a moderator |
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Add SSL certificate to Kerio via CLI [message #144146 is a reply to message #132027] |
Mon, 08 October 2018 12:12 |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
|
You can't add it as it's own certificate in an easy way. But you don't need to. Generate a certificate with Kerio, get a service running on the machine to get the lets encrypt cert and overwrite with a cronjob batch file the existing cert in kerio's cert folder with your lets encrypt one. That's it.
|
|
|
|
| Re: Add SSL certificate to Kerio via CLI [message #144148 is a reply to message #144146] |
Mon, 08 October 2018 12:40 |
dr_bw
Messages: 7
Registered: August 2018
|
|
|
|
@noise: acme.sh works under OSX as well. If your DNS provider offers a supported API, it's really quick and painless to generate a wildcard cert and you save yourself the reverse proxy on the Connect server. Sample process (for Cloudflare, but should be similar for other providers) is here:
kb.virtubox.net/knowledgebase/how-to-issue-wildcard-ssl-cert ificate-with-acme-sh-nginx/
|
|
|
|
Members
Search
Help
Register
Login
Home
