I remember compiling LetsEncrypt from SBo years ago and wading through the dependencies, but lately I've just been using the
acme.sh script (also packaged in .t?z on
SBo). Might be worth a shot, although all I'm doing is basic https key issue/renewal for websites and am not too familiar with sendmail/dovecot/postfix/all that.
My quick n' dirty if you use Apache:
Code:
mkdir /etc/httpd/ssl
acme.sh --issue --apache -d example.com -d www.example.com \
--server letsencrypt \
--cert-file /etc/httpd/ssl/cert.pem \
--key-file /etc/httpd/ssl/key.pem \
--fullchain-file /etc/httpd/ssl/fullchain.pem \
--reloadcmd '/etc/rc.d/rc.httpd restart' \
1. custom directory to store keys
2. domains you want keys for
3. acme.sh defaults to zerossl, so this overrides to use LetsEncrypt
4. cert file location
5. key file location
6. fullchain file location
7. command to run after key renewal (httpd needs to restart to reprocess keys, I guess)
The parameters passed to this '--issue' command get stored by acme at a path similar to:
Code:
~/.acme.sh/example.com_ecc/example.com.conf
Now go into /etc/httpd/httpd.conf and uncomment these lines:
Code:
LoadModule socache_shmcb_module lib64/httpd/modules/mod_socache_shmcb.so
LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
Include /etc/httpd/extra/httpd-ssl.conf
First two lines allow httpd to use ssl
Last line becomes apparent in the next step.
Now go into /etc/httpd/extra/httpd-ssl.conf and change these values:
Code:
SSLCertificateFile "/etc/httpd/ssl/cert.pem"
SSLCertificateKeyFile "/etc/httpd/ssl/key.pem"
SSLCertificateChainFile "/etc/httpd/ssl/fullchain.pem"
Notice these are the values specified in the acme.sh --issue command above.
Now restart httpd and give it a shot! Hopefully I didn't botch the commands.
Also recommend running the following to add a cron job to keep the keys fresh.
Code:
acme.sh --install-cronjob
Sorry for all the extra httpd stuff, but I imagine the main differences for a mail server ultimately come down to giving acme the right file paths to copy keys to, making sure the mail server conf points to those paths, and adjusting the '--reloadcmd' to restart the mail server, if that's required. I imagine you may want to use a mode in the '--issue' command other than '--apache', which is explained on the acme github site linked above. While there is no dovecot or postfix "mode", after a brisk google I've seen that people have done this with dovecot and postfix, at least. So with the acme.sh method you may sacrifice less upfront work (compiling) for more configuration work. Either way, Good luck & Happy slacking