How to Configure/Install Let’s Encrypt SSL on VestaCP Mail Server and Vesta Admin – CentOS and Ubuntu

by Sandy

In this tutorial we’ll cover how to install valid Let’s Encrypt SSL for hostname, vestacp admin (on port 8083) and for mail server. and also configure it to auto renew.

Let’s Encrypt is free CA ssl provider with 99.99% browser compatibility, today we’ll configure Let’s Encrypt ssl for exim mail server under VestaCP. This Days Email servers are very demanding and used for newsletter and personal mailing. VestaCP have full featured email server support but it uses self-sign certificate for mail server and vesta admin login.

Lets Get Started

Step 1 :

IMP : Install VestaCP with proper hostname set (it should be the subdomain of your main domain like for this tutorial I’m using as example) and should have A record DNS pointing to the server IP.

Follow this steps in order to install Let’s encrypt SSL on hostname via Vesta CP admin area :

  1. Login to vestaCP admin ( accept the warning about SSL
  2. Go to WEB section and hit EDIT which will show when you hover the mouse on hostname/subdomain
  3. Under Aliases remove everything from the box. eg.
  4. Navigate below You’ll see “SSL Support” check box mentioned at the bottom , check the box and select/check “Lets Encrypt Support
  5. Finally click on SAVE button. Upon successfully Installation of Let’s encrypt SSL for the hostname the changes will saved without any error message : “Changes have been saved.

We’ve done 90% setup till now, next step will be just adding the Let’s Encrypt certs to admin login and with mail server. It will be easy as a pie 🙂

Step 2

Installing Let’s encrypt cert for admin login and for mail server :-

Creating cron job file to run daily :

nano /etc/cron.daily/vestassl

Now add this lines to it and save then exit :

The bellow script checks the certs and install the certs for the first time and secondly when the source certs are changed .



if ! cmp -s $cert_dst $cert_src
        # Copy Certificate
        cp $cert_src $cert_dst

        # Copy Keyfile
        cp $key_src $key_dst

        # Change Permission
        chown root:mail $cert_dst
        chown root:mail $key_dst

        # Restart Services
        service vesta restart &> /dev/null
        service exim4 restart &> /dev/null
        service dovecot restart &> /dev/null

***Don’t forget to change the hostname/subdomain highlighted in red

Now you need to fix the permission for the cron job file :

chmod +x /etc/cron.daily/vestassl

Step 3 :

Restarting the service and running the upper script from command line to install SSL to vesta and mail server :

sh /etc/cron.daily/vestassl

Hence the upper script will restart vesta and mail server it is also recommended to restart the vesta and mail services manually for peace of mind :

service vesta restart
service exim4 restart
service dovecot restart

Now login to Vesta Admin url you’ll see a valid let’s encrypt ssl is already functioning and so for mail server too.

*Don’t forget to change the hostname/subdomain highlighted in red

If this post helps you in any way please consider a donation

Donate with PayPal :


Donate with Paytm :


You may also like

Leave a Reply

6 Comment threads
3 Thread replies
Most reacted comment
Hottest comment thread
7 Comment authors
SandyOttoGaius PrimerPcratOussama Recent comment authors
newest oldest most voted
Notify of

Perfecto its working and i’m surprised upon how you made this tutorial so easy, best blog
thank you


Hi Man,

Works for me !!


Very clear explanation , Thank you so much !


You might want to use ‘/bin/systemctl restart exim4.service’ (+ vesta + dovecot).
service sometimes doesn’t work.

Gaius Primer

Hello, after trying the steps above, it return ” → Error: Let’s Encrypt validation status 400″
Please, how can I solve this?


Hi I have a unique problem, the main vesta hostname certificate shows different to the email, and I have no idea how to fix that, it looks like an old certificate and the domain does no match. All the site certificates are all working, but email gives error that certificate is wrong, hostname do not match I think it is possible I have used another certificate from other server, when I point the mouse at the browser, where is says insecure, I can see it is a certificate from other server, so now how do I fix that. It is… Read more »