Hi, I have my mail server, Kerio Connect. This generates its own certificate and/or I know how to create one with XCA or Microsoft.
I gained the impression Let’s Encrypt “talks” about Web sites…I do not need that, as such.
I need to create the Certificate to:
Import it to Kerio Connect
Use it when accessing the Web mail interface.
The domain has SPF and DMARC records but the certificate is self signed.
Where can I find the proper instructions to creating and importing this certificate, I repeat is not for a web server as such.
The Kerio Connect webmail interface is just a web server like any other. From a high level, the approach to issue and install a certificate is the same as for a standard web server.
The problem you face is that it’s a relatively uncommon task (compared to securing Apache httpd, for example), so you won’t find a documented or turnkey solution as easily. Especially not for Windows. It does not help that the vendor does not offer a first-party solution either.
Thanks, I run Kerio in Windows Server 2016 Datacentre, so I will have to find a way to create the cert and then import.
Nothing runs in Linux at my place.
Both of the posts I tried to draw your attention to are for Windows environments. I’ll cross post the example from the Russian blog:
SET WWWDIR=C:\www
net stop "Kerio Connect"
start miniweb -port 80 -root %WWWDIR%
le64 --key ltsncrpt_acc.key --email "our@email" --csr out_server.csr --csr-key our_server.key --crt our_server.crt --domains "our-domain.ru" --generate-missing --unlink --path C:\www\.well-known\acme-challenge
REM rename "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.crt" server.crt_old
REM rename "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.key" server.key_old
REM copy our_server.key "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.key"
REM copy our_server.crt "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.crt"
taskkill /IM "miniweb*" /F
net start "Kerio Connect"
If we step through it, we can understand what it does:
Stop the Kerio Connect server
Temporarily start a webserver on port 80 for the purposes of fulfilling the Let’s Encrypt HTTP challenge.
Run the “le64.exe” ACME client to actually issue the certificate, using the temporary webserver to provide a challenge response for Let’s Encrypt’s validation.
Copy the certificate to the Kerio Connect installation directory
Stop the temporary webserver
Start Kerio Connect again.
You would set this batch script up as a scheduled task for every 60 days or so.
Then all you need to do is configure Kerio Connect to use the certificate and private key at the nominated paths. Every time the certificate is renewed, Kerio gets restarted, and the new certificate is used.
I can’t vouch for the script - you’ll probably need to tune the parameters a little, and the certificate file copying seems to be commented out - but it appears to perform the steps need to do, in any case, in quite a compact and straightforward way.
Thanks, I will look into this. I do not like to open port 80 on my Fortigate. Only 443 is open at this stage. I have a fortress and not inclined to open more.
Cheers
That shouldn’t be a problem. You can substitute le64 for lego and do something like:
lego.exe --accept-tos -m 'admin@example.com' --tls -d "example.org" run
which will instead create a temporary challenge response server on port 443.
This means you can get rid of the “miniweb” part of the script, but you’ll also need to copy the certificate and private key from a different path (/.lego) to the Kerio directory.