Let's Encrypt Support

I lately signed up for the Let’s Encrypt Beta Test to get free SSL Certificates and wanted to test the support of miab.

See for yourself: Website and SSL Test

I will try to put a guide together for those who are interested.

1 Like

Please do, I’d be VERY interested in this.

I just got the email too that my domain has been whitelisted, but can’t seem to get it to work on my box. Very interested in your guide.

I you have the BETA invite, too, meantime a better guide for nginx server or a devoted one for Miab become available you may wish to follow this one: Let's Encrypt with DirectAdmin or other Web Control Panels - Raymii.org that explains the howto in a ‘directadmin’ powered server (apache based, not nginx) but seems to me very easy to guess how to do it with MiaB (just replacing last part that talks about how to import cert. & fullchain into ‘directadmin’ admin panel with the correct windows available at the >MiaB admin panel). Hope this helps!

IMPORTANT: backup or snapshot your MiaB server before to do the test! :wink:

The trick is to use the fullchain.pem and privkey.pem from /etc/letsencrypt/live/<domain>/ as ssl_certificate.pem and private_key.pem in /home/user-data/ssl/<domain>/. Then it’s important to call the web_update Script from ~/mailinabox/tools folder. By next week I will prepare a guide.

@m4rcs Yes!
BTW, didn’t test that yet but perhaps could be useful to use symlinks at /home/user-data/ssl/<domain>/ as ssl_certificate.pem and private_key.pem pointing to the real /etc/letsencrypt/live/<domain>/ privkey.pem and fullchain.pem files… If finally works would help us a lot when Let’s Encrypt certificate auto-renew feature will be finally implemented +/- by November end… What do you think about?

Note: Saw that @JoshData is already working in a MiaB custom client, too: https://github.com/mail-in-a-box/letsencrypt_simpleclient … Sounds really good, too!

I don’t know if symlinked files are also backed up. If so I will symlink them. Maybe @JoshData can say something to the symlinks.

This post may bring some light about: Use on non-web servers? - #17 by eva2000 - Server - Let's Encrypt Community Support

That’s not my point. I mean the internal backup mechanism from Miab itself.

Recently got a beta approval too, so I’d be interested in seeing your guide, m4rcs. :smile:

Well I got as far as trying to replace my private key with the one issued by Let’s Encrypt - but the Mailinabox interface says

Certificate has a problem: The private key file
/home/user-data/ssl/ssl_private_key.pem is not a private key file: File
is not a valid PEM-formatted file.

Looking at the private key, the existing one is RSA and the one from LE doesn’t specify RSA - possibly a different format? Feeling like there’s an obvious step I’ve missed here but I’m not sure exactly what’s going wrong.

Well after thoroughly breaking my MiaB (nginx failing to start) & having to reset/delete all my certifcates/keys I think I’ll wait until someone has a clearer guide on exactly how to get it working!

@tenoq Does your key start with —BEGIN PRIVATE KEY— or —BEGIN RSA PRIVATE KEY— or —BEGIN CERTIFICATE—

https://github.com/mail-in-a-box/mailinabox/blob/master/management/ssl_certificates.py#L339-L347 is where the validation happens. It expects any number of hyphens, BEGIN, and some identifying string, at the start.

It was —BEGIN PRIVATE KEY—, iirc.

I’ll give it another go in a couple of days when I’ve got a few hours downtime. Or just wait for Josh’s native support - looks like he’s working on it already.

… and we’re in Public Beta! Hope to see this baked into future editions of MIB!

Until Mail-in-a-Box handles Let’s Encrypt itself, it’s really darned easy to set up ssl with https://gethttpsforfree.com/. It’s a web-based LE frontend. There are a lot of steps but they’re quick and simple. ssh to your mailinabox to run the openssl commands.

I found that much quicker to set up than both startssl and the woefully buggy wosign.

Only downside is I’ll have to re-do that process in three months… I’m hoping MIAB has LE by then!

I was able to run the ./letsencrypt-auto --apache on my apache2 based site but my MIAB nginx site I get the error nginx plugin not installed. I can safely assume no CERT for some time to come?