This post describes my journey to have a fully working Let’s Encrypt set of automatically renewed certificates for my Apache-hosted websites, Postfix email server, and Dovecot IMAP server running on Ubuntu 16.04.1 LTS. Strangely, all descriptions I found online so far either talked about setting Let’s Encrypt client from git repositories or didn’t provide any clarity on how to deploy multiple certificates for multiple virtual sites or didn’t have any details on how to generate and renew certificates for Postfix and Dovecot or how to do so in a way that is compatible with DANE.

My starting point is a working Apache with 3 name-based virtual sites (including this one!), Postfix that dispatches emails for those websites, and Dovecot that provides IMAPS access to mailboxes. All of those already work over SSL using certificates from CAcert. For those unfamiliar with it, CAcert is a free Certificate Authority, but with two major limitations:

  1. Its Root CA isn’t installed by default in most places – one needs to manually go to CAcert, download and install root certificates to avoid error messages due to an untrusted certificate. Let’s Encrypt, in contrast, is supported pretty much everywhere.
  2. CAcert certificates are valid for 6 months and require manual renewal. While Let’s Encrypt certificates are valid for only 90 days, they can be automatically renewed, removing the headache, especially for multiple certificates

I also have SPF, DNSSEC and DANE records published for most of my domains, with the plan to add DKIM and DMARC, so whatever the setup is, it must not break these technologies.

So let’s do it then.

Step 1: Configuring Apache

First, install all the necessary packages:

sudo apt-get install letsencrypt python-letsencrypt-apache

Next, let’s secure apache named virtual sites. Mind, you, I am a control freak when it comes to what is happening on my server, so I did this in two steps:

letsencrypt certonly –apache -t -m <my-email> -d schipka.com -d www.schipka.com -d webmail.schipka.com -d smtp.schipka.com -d imap.schipka.com

smtp.schipka.com and imap.schipka.com will be required for configuring Postfix and Dovecot correspondingly. When asked to choose which host to use to authenticate those two domains, just choose an existing virtual host for main domain – schipka.com in my case. Then follow with:

letsencrypt install -t –redirect –hsts –uir –cert-path /etc/letsencrypt/live/schipka.com/cert.pem –key-path /etc/letsencrypt/live/schipka.com/privkey.pem –fullchain-path /etc/letsencrypt/live/schipka.com/fullchain.pem

Make sure you specify which virtual hosts you’d like secured in an interactive shell.

I’ll let you read about all of those options – or you can trust me they are good, as long as all of your website contents can be served over HTTPS. If you have parts of website that can only be served over HTTP (why?.. it is 21st century after all!), then remove “–redirect –hsts –uir” options from the above command line.

Of course, as a result, DANE record for schipka.com, www.schipka.com and webmail.schipka.com got broken. No worries, as long as CSR stays the same, we can fix it. For that, go to a fantastic site for generating TLSA records, leave default options, paste your public certificate (contents of /etc/letsencrypt/live/schipka.com/cert.pem in my case), enter port 443 and website schipka.com. It’ll generate the right TLSA record for you, which can then be published on your DNS hoster (in my case, another brilliant free DNS provider 1984Hosting). Do so for each subdomain of your domain, including your postfix and dovecot domains. If you are paranoid (and it is good to be paranoid sometimes), go and check that your website DANE record is correct. You won’t be able to verify your postfix TLSA – not yet. Remember, though: each time you change the list of domains secured by the certificate, you’ll have to re-generate TLSA records!

Repeat that for all of your domains, run

systemctl reload apache2

And you’re done!

Step 2: Configuring Postfix

It should be plain sailing from here on – as long as you generated the certificate above correctly! Just edit your /etc/postfix/main.cf to make sure that:

  • your banner SMTP server name is one of the domains from above. In my case, it is smtp.schipka.com
  • your smtpd_tls_* settings are similar to this:

smtpd_tls_key_file=/etc/letsencrypt/live/schipka.com/privkey.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/schipka.com/cert.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/schipka.com/fullchain.pem

Run

systemctl reload postfix

And you should be able to go the same checker as above to validate your Postfix settings. Don’t forget to choose SMTP as STARTTLS Application!

Step 3: Configuring Dovecot

Simple. Edit /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/schipka.com/cert.pem
ssl_key = </etc/letsencrypt/live/schipka.com/privkey.pem

systemctl reload dovecot

And go to check your dovecot install – all should be well as long as TLSA records are ok.

Step 4: Automating Renewals

Surprisingly, this isn’t as straight-forward as it could be, specifically, for two reasons:

  1. smtp.schipka.com and imap.schipka.com are not configured as ServerAlias for Apache plugin
  2. Using –standalone mode with –tls-sni-01-port <port1> –http-01-port <port2> is problematic due to the need to open port mapping to map inbound port1 and port2 to your Ubuntu server on whatever router you use and making sure your local firewall also allows it

It is your choice what solution works better for you. As I don’t mind smtp.schipka.com and imap.schipka.com serving my website, but I do mind keeping two inbound ports open on my router all the time, all I’ve done is add both as ServerAlias to my main Apache site configuration and tested that all is going to be ok by running:

letsencrypt renew –dry-run

Once that is done, all that was left to do was to create a script called “letsencrypt” in /etc/cron.weekly:

#!/bin/sh
/usr/bin/letsencrypt renew

That’s it, all done!

I hope someone finds this useful.