Installing Certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dandydingo.com, bikesafewa.com.au

I ran this command:

It produced this output:

My web server is (include version): None

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot-1.22.0-1.el8.noarch

Hi All

I am running multiple servers. THe first one is my router/gateway, running ClearOS (192.168.0.1). All required ports are forwarded to the mail server (192.168.0.2). Mail is flowing and I can retrieve mail without problems. The issue I am having is that the certs reside on 192.168.0.1 and not on 192.168.0.2. When I renew my certs (certbot runs as a cron job automatically daily), I have to copy the certs to my /etc/postfix/certs/cert.pem, chain.pem, fullchain.pem and privkey.pem. However, once this is done, despite reloading postfix, I still get errors on my Outlook clients

I would love to streamline this and stop the errors on the MS Outlook clients

if you can script the operations you want, you can add a --deploy-hook option to your certbot invocation, that will run your script each time your certificate is renewed.

2 Likes

I'm a bit of a novice here, could you explain please?

I'm not familiar with ClearOS, but assuming your internal network is safe, can't you terminate the TLS connections already on your router and do everything without TLS to your mailserver?

Although I guess that's not a very good option as mailservers are often configured to refuse logins from unsecure connections. Not sure how easy it is to buypass that, although it's probably possible with Postfix.

As for your copying and Postfix not seeing the correct certificates: make sure the copied files are actually the correct ones using openssl x509 -noout -text </path/to/cert.pem and make sure the paths in main.cf are also correct.

1 Like

OK.

ClearOS simply a RH/CentOS distro with apps attached to achieve permiter secutiry (iptables, snort, fail2ban)

iptables rules set to forward all the ports to the mail server (at this stage)

I've put in a dirty work around.

The cron job that does the renewal, shuts down the httpd server, does the renewals and restart the httpd server.

Done!

You can use the webroot plugin, or you can make the httpd server reverse proxy to the renewal server.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.