Introduction #
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
Requirements #
In addition to the supported Ubuntu operating system that Mailborder runs on, you will also need to have port 80 open to the internet at all times. This is NOT a security concern! Mailborder will automatically redirect all port 80 traffic to 443. No content is ever served over port 80. Letsencrypt needs to verify your server exists, and it does this over port 80.
I know some administrators will still have their hair on fire over port 80 being open, so let me demonstrate. This is the top of the configuration file for all Nginx virtual hosts used by Mailborder.
# ssl redirect
server {
listen 80;
listen [::]:80;
access_log off;
server_name master.mailborder.com;
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
location / {
return 301 https://$server_name$request_uri;
}
}Here is what this section is doing:
- Listening on port 80
- Allowing Letsencrypt verification requests to /.well-known/acme-challenge/
- Anything else gets redirected to your server_name on HTTPS.
Installing Cerbot #
Cerbot is the program used to install, manage, and automatically renew certificates. Things have changed how the software is installed depending on your Ubuntu release.
Ubuntu 22.04 and newer #
sudo snap refresh core sudo snap install --classic certbot
Ubuntu 20.04 and older #
sudo apt install certbot python3-certbot-nginx
Getting a Certificate for Postfix #
If you also want to use Letsencrypt to get valid, self-managed certificates for Postfix, see this article before proceeding.
Getting a Certificate for Nginx #
Certbot will automatically scan your Nginx configuration files, so make sure they are setup before running the next command. If you are a Mailborder customer and your server is installed, the records are already setup. Run this command to start the process:
certbot --nginx --no-redirect
You will be presented with a list of domains to request certificates for. Select the ones you wish to get a certificate for. On a Mailborder server, when asked if you would like to redirect, select the option for no redirect. Mailborder already does this in the Nginx configuration files. Once complete, restart the Nginx service:
service nginx restart
Certificate Renewals #
Certbot creates a service to automatically renew your certificates. To verify this service is up and running:
Ubuntu 22.04 and newer #
sudo systemctl status snap.certbot.renew.service
Ubuntu 20.04 and older #
sudo systemctl status certbot.timer
You should see that the service is active and running.
