How to Configure/Install Let’s Encrypt SSL on VestaCP Mail Server and Vesta Admin – CentOS and Ubuntu

by Sandy

In this tutorial we’ll cover how to install valid Let’s Encrypt SSL for hostname, vestacp admin (on port 8083) and for mail server. and also configure it to auto renew.

Let’s Encrypt is free CA ssl provider with 99.99% browser compatibility, today we’ll configure Let’s Encrypt ssl for exim mail server under VestaCP. This Days Email servers are very demanding and used for newsletter and personal mailing. VestaCP have full featured email server support but it uses self-sign certificate for mail server and vesta admin login.

Lets Get Started

Step 1 :

IMP : Install VestaCP with proper hostname set (it should be the subdomain of your main domain like for this tutorial I’m using srv1.mysterydata.com as example) and should have A record DNS pointing to the server IP.

Follow this steps in order to install Let’s encrypt SSL on hostname via Vesta CP admin area :

  1. Login to vestaCP admin (https://srv1.mysterydata.com:8083) accept the warning about SSL
  2. Go to WEB section and hit EDIT which will show when you hover the mouse on hostname/subdomain
  3. Under Aliases remove everything from the box. eg. www.srv1.mysterydata.com
  4. Navigate below You’ll see “SSL Support” check box mentioned at the bottom , check the box and select/check “Lets Encrypt Support
  5. Finally click on SAVE button. Upon successfully Installation of Let’s encrypt SSL for the hostname the changes will saved without any error message : “Changes have been saved.

We’ve done 90% setup till now, next step will be just adding the Let’s Encrypt certs to admin login and with mail server. It will be easy as a pie 🙂

Step 2

Installing Let’s encrypt cert for admin login and for mail server :-

Creating cron job file to run daily :

nano /etc/cron.daily/vestassl

Now add this lines to it and save then exit :

The bellow script checks the certs and install the certs for the first time and secondly when the source certs are changed .

#!/bin/bash

cert_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.pem"
key_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.key"
cert_dst="/usr/local/vesta/ssl/certificate.crt"
key_dst="/usr/local/vesta/ssl/certificate.key"

if ! cmp -s $cert_dst $cert_src
then
        # Copy Certificate
        cp $cert_src $cert_dst

        # Copy Keyfile
        cp $key_src $key_dst

        # Change Permission
        chown root:mail $cert_dst
        chown root:mail $key_dst

        # Restart Services
        service vesta restart &> /dev/null
        service exim4 restart &> /dev/null
        service dovecot restart &> /dev/null
fi

***Don’t forget to change the hostname/subdomain highlighted in red

Now you need to fix the permission for the cron job file :

chmod +x /etc/cron.daily/vestassl

Step 3 :

Restarting the service and running the upper script from command line to install SSL to vesta and mail server :

sh /etc/cron.daily/vestassl

Hence the upper script will restart vesta and mail server it is also recommended to restart the vesta and mail services manually for peace of mind :

service vesta restart
service exim4 restart
service dovecot restart

Now login to Vesta Admin url you’ll see a valid let’s encrypt ssl is already functioning and so for mail server too.

https://srv1.mysterydata.com:8083

*Don’t forget to change the hostname/subdomain highlighted in red

If this post helps you in any way please consider a donation

Donate with PayPal :

md-donate

Donate with Paytm :

md-donate

You may also like

5
Leave a Reply

avatar
4 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
SandyPcratOussamaPushpendraAngilo Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Angilo
Guest
Angilo

Perfecto its working and i’m surprised upon how you made this tutorial so easy, best blog
thank you

Pushpendra
Guest
Pushpendra

Hi Man,

Works for me !!

Oussama
Guest
Oussama

Very clear explanation , Thank you so much !

Pcrat
Guest
Pcrat

You might want to use ‘/bin/systemctl restart exim4.service’ (+ vesta + dovecot).
service sometimes doesn’t work.