Installing Lets Encrypt Certificates on ubuntu 16.4/Nginx and iRedMal

I am having trouble with site, ubuntu 16.4 installed fresh, in hosts hostname is set to, iRedmail installed with nginx, DNS pointed to IP address and it kinda works, but with self-signed certs. Certbot will not install them automatically, When I try manually by removing comments in etc/nginx/templates/ssl.tmpl that goes like this:

ssl on;
ssl_protocols TLSv1.2;

# Fix 'The Logjam Attack'.
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;

# To use your own ssl cert (e.g. LetsEncrypt), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
# For example:
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/ /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/ /etc/ssl/certs/iRedMail.crt
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

and certificates start to work, however, nginx cash and I am presented with the index page that I have setup nginx instead of the mail client. Puting #'s back on solves the crash but goes back to self-signed certificates. If anyone could help please do. Thank you in advance

Hi @Rohirrimus,

Are you saying that you are removing the # ? these ones?

# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/ /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/ /etc/ssl/certs/iRedMail.crt 

If the answer is yes then don’t do that, those are the commands you should run as root to link LE certificates into the right place so iRedMail can read them but you should NOT remove the # in that file.


yes that is what I was saying. But even when I run them as root It does not help, I still have self assigned key.
I also tried to edit in sited-available
00-defoult-ssl file and to add
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
but I had no luck aswell.

What seems to be the problem when that is done is that files original and the ones copied into iRedMail.crt and key are the same,but still its visible as self signed key.
Is there maybe a way you could help me with that? Thank you

Could you please run again these commands as root or with your own user but preceding them with sudo and paste here the output?.

rm -f /etc/ssl/private/iRedMail.key
rm -f /etc/ssl/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/ /etc/ssl/private/iRedMail.key
ln -s /etc/letsencrypt/live/ /etc/ssl/certs/iRedMail.crt
ls -l /etc/ssl/private/iRedMail.key /etc/ssl/certs/iRedMail.crt
openssl x509 -in /etc/ssl/certs/iRedMail.crt -noout -text

Hello,out put is as follows:

        Version: 3 (0x2)
        Serial Number: 10016252805842969476 (0x8b00e0dbc8c7a384)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen,, OU=IT,
            Not Before: Jul  5 21:16:36 2018 GMT
            Not After : Jul  2 21:16:36 2028 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen,, OU=IT,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

            X509v3 Basic Constraints:
    Signature Algorithm: sha256WithRSAEncryption

Hi @Rohirrimus,

The certificate is a self-signed one so, either the commands issued to link it to your LE certificate didn’t work as expected or iRedMail is recreating the self-signed cert once and again.

Could you please show the ouput of these commands (all of them):

ls -l /etc/ssl/private/iRedMail.key /etc/ssl/certs/iRedMail.crt

openssl x509 -in /etc/letsencrypt/live/ -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"


sure, than you for reply,

 ls -l /etc/ssl/private/iRedMail.key /etc/ssl/certs/               t
lrwxrwxrwx 1 root root 59 Jul  9 11:13 /etc/ssl/certs/iRedMail.crt -> /etc/letse               ncrypt/live/
lrwxrwxrwx 1 root root 57 Jul  9 11:13 /etc/ssl/private/iRedMail.key -> /etc/let               sencrypt/live/

and the 2nd one is:

root@mailtest ~ # openssl x509 -in /etc/letsencrypt/live/ -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"
unable to load certificate
140583000004248:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

Thank you in adcance for all your help

That is strange, seems you don't have a certificate for your domain, are you sure you issued one for

Let's see what is in that path, show the output of these two command:

namei -mo /etc/letsencrypt/live/

ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/

  1. \t ↩︎

root@mailtest ~ # namei -mo /etc/letsencrypt/live/
f: /etc/letsencrypt/live/
 drwxr-xr-x root root /
 drwxr-xr-x root root etc
 drwxr-xr-x root root letsencrypt
 drwxr-xr-x root root live
 drwxr-xr-x root root
 -rw-r--r-- root root fullchain.pem

that would be the output of the 1st one,and regardng 2nd its:

root@mailtest ~ # ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/
ls: cannot access '/etc/letsencrypt/archive/': No such file or directory
total 4

Thank you for all the help,hope this will help you help me resolve my isssue. Thanks

@Rohirrimus, seems you have copied the self-signed certificate into/etc/letsencrypt/live/ and it is clear that you have removed the dir /etc/letsencrypt/archive/ and I don’t know whether you remoed or changed something else… so seems you messed it just a bit ;). You have already issued a valid certificate for your domain so I’m wondering what you did…

Also, you didn’t show the entire ouput of this command:

ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/

My advise, read carefully the iRedMail installation guide and start over following step by step to configure it.

The problem is that since I rebuild server few times trying to fix problems with certs, LetsEncrypt didn’t want to issue me any more certs , so I got copy of ones from before,but they are the same,same domain.


Correct, you have reached the 5 duplicated certificates per 7 days limit:

CRT ID     CERT TYPE  DOMAIN (CN)              VALID FROM             VALID TO               EXPIRES IN  SANs
576752899  Pre cert  2018-Jul-05 12:21 UTC  2018-Oct-03 12:21 UTC  85 days
576561692  Pre cert  2018-Jul-05 12:17 UTC  2018-Oct-03 12:17 UTC  85 days
576487019  Pre cert  2018-Jul-05 11:17 UTC  2018-Oct-03 11:17 UTC  85 days
575007716  Pre cert  2018-Jul-04 11:29 UTC  2018-Oct-02 11:29 UTC  84 days
574921867  Pre cert  2018-Jul-04 09:25 UTC  2018-Oct-02 09:25 UTC  84 days

You could issue a new certificate for on 2018-Jul-11 10:25 UTC so you can wait 2 days or could override that limit adding a new domain so if you issue a certificate covering and for example you could issue a new cert right now.

Seems you didn't copy the right ones because you are using the self-signed certificate instead of the one issued by Let's Encrypt.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.