How to Configure/Install Let’s Encrypt SSL on VestaCP Mail Server and Vesta Admin – CentOS and Ubuntu

by Sandeep B.

In this tutorial we’ll cover how to install valid Let’s Encrypt SSL for hostname, vestacp admin (on port 8083) and for mail server. and also configure it to auto renew.

Let’s Encrypt is free CA ssl provider with 99.99% browser compatibility, today we’ll configure Let’s Encrypt ssl for exim mail server under VestaCP. This Days Email servers are very demanding and used for newsletter and personal mailing. VestaCP have full featured email server support but it uses self-sign certificate for mail server and vesta admin login.

Lets Get Started

Step 1 :

IMP : Install VestaCP with proper hostname set (it should be the subdomain of your main domain like for this tutorial I’m using srv1.mysterydata.com as example) and should have A record DNS pointing to the server IP.

Follow this steps in order to install Let’s encrypt SSL on hostname via Vesta CP admin area :

  1. Login to vestaCP admin (https://srv1.mysterydata.com:8083) accept the warning about SSL
  2. Go to WEB section and hit EDIT which will show when you hover the mouse on hostname/subdomain
  3. Under Aliases remove everything from the box. eg. www.srv1.mysterydata.com
  4. Navigate below You’ll see “SSL Support” check box mentioned at the bottom , check the box and select/check “Lets Encrypt Support
  5. Finally click on SAVE button. Upon successfully Installation of Let’s encrypt SSL for the hostname the changes will saved without any error message : “Changes have been saved.

We’ve done 90% setup till now, next step will be just adding the Let’s Encrypt certs to admin login and with mail server. It will be easy as a pie 🙂

Step 2

Installing Let’s encrypt cert for admin login and for mail server :-

Creating cron job file to run daily :

nano /etc/cron.daily/vestassl

Now add this lines to it and save then exit :

The bellow script checks the certs and install the certs for the first time and secondly when the source certs are changed .
CENTOS/RHEL:

#!/bin/bash

cert_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.pem"
key_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.key"
cert_dst="/usr/local/vesta/ssl/certificate.crt"
key_dst="/usr/local/vesta/ssl/certificate.key"

if ! cmp -s $cert_dst $cert_src
then
        # Copy Certificate
        cp $cert_src $cert_dst

        # Copy Keyfile
        cp $key_src $key_dst

        # Change Permission
        chown root:mail $cert_dst
        chown root:mail $key_dst

        # Restart Services
        service vesta restart &> /dev/null
        service exim restart &> /dev/null
        service dovecot restart &> /dev/null
fi

UBUNTU/DEBIAN :

#!/bin/bash

cert_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.pem"
key_src="/home/admin/conf/web/ssl.srv1.mysterydata.com.key"
cert_dst="/usr/local/vesta/ssl/certificate.crt"
key_dst="/usr/local/vesta/ssl/certificate.key"

if ! cmp -s $cert_dst $cert_src
then
        # Copy Certificate
        cp $cert_src $cert_dst

        # Copy Keyfile
        cp $key_src $key_dst

        # Change Permission
        chown root:mail $cert_dst
        chown root:mail $key_dst

        # Restart Services
        service vesta restart &> /dev/null
        service exim4 restart &> /dev/null
        service dovecot restart &> /dev/null
fi

***Don’t forget to change the hostname/subdomain highlighted in red

Now you need to fix the permission for the cron job file :

chmod +x /etc/cron.daily/vestassl

Step 3 :

Restarting the service and running the upper script from command line to install SSL to vesta and mail server :

sh /etc/cron.daily/vestassl

Hence the upper script will restart vesta and mail server it is also recommended to restart the vesta and mail services manually for peace of mind :

service vesta restart
service exim4 restart
service dovecot restart

Now login to Vesta Admin url you’ll see a valid let’s encrypt ssl is already functioning and so for mail server too.

https://srv1.mysterydata.com:8083

*Don’t forget to change the hostname/subdomain highlighted in red

If this post helps you in any way please consider a donation

Donate with PayPal :

md-donate

You may also like

9 comments

Angilo August 13, 2018 - 5:47 am

Perfecto its working and i’m surprised upon how you made this tutorial so easy, best blog
thank you

Reply
Pushpendra October 2, 2018 - 11:48 pm

Hi Man,

Works for me !!

Reply
Oussama November 7, 2018 - 1:23 am

Very clear explanation , Thank you so much !

Reply
Pcrat January 8, 2019 - 4:04 am

You might want to use ‘/bin/systemctl restart exim4.service’ (+ vesta + dovecot).
service sometimes doesn’t work.

Reply
Sandy January 8, 2019 - 2:38 pm

perfect thanks it will help other visitors 🙂

Reply
Gaius Primer November 17, 2019 - 2:09 am

Hello, after trying the steps above, it return ” → Error: Let’s Encrypt validation status 400″
Please, how can I solve this?

Reply
Sandy November 16, 2019 - 9:32 pm

Hi
You can discuss about the issue you’re facing at the forum
https://forum.mysterydata.com/

Reply
Otto January 5, 2020 - 4:50 pm

Hi I have a unique problem, the main vesta hostname certificate shows different to the email, and I have no idea how to fix that, it looks like an old certificate and the domain does no match.
All the site certificates are all working, but email gives error that certificate is wrong, hostname do not match
I think it is possible I have used another certificate from other server, when I point the mouse at the browser, where is says insecure, I can see it is a certificate from other server, so now how do I fix that. It is vestacp main certificate

Reply
Sandy January 6, 2020 - 6:20 am

hi go to our forum and discuss there

Reply

Leave a Comment