====== Using certbot ======

===== acme.sh =====

A lot of installations use [[https://github.com/acmesh-official/acme.sh | acme.sh]] now. The simplest way to figure out things on these installations is to run <code bash>acme.sh --list</code> or <code bash>acme.sh --help</code> works.

[[https://www.ispconfig.org/|ISPConfig]] uses this as the default. If certbot is not installed on installation or upgrade, acme.sh is automagically downloaded and installed.

===== certbot =====

First, certbot can also be called letsencrypt on some really, really old machines. And, it is stored in various places, depending on how you set it up.

On a Devuan servers, the certificates are stored in /etc/letsencrypt.
A lot of this is taken from [[https://certbot.eff.org/docs/using.html]], which is confusing and hard to use, but does give an exhaustive list of the commands at the bottom.

==== See what certificates are on system ====

<code bash>certbot certificates</code>

Sample output would be as follows. Note that you may have multiple entries, and not all entries will have multiple domains in them.

<code bash>
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mail.example.com
    Domains: mail.example.com imap.example.com smtp.example.com
    Expiry Date: 2020-10-26 12:09:56+00:00 (VALID: 37 days)
    Certificate Path: /etc/letsencrypt/live/mail.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
</code>

==== Delete an existing domain ====

<code bash>certbot delete --cert-name mail.example.com</code> will delete the entire certificate (including all aliases)

==== Add a new domain/alias ====

Ok, this one is tricky as you need a way to authenticate that you own the domain. The simplest way to do this is if you have a web server running. I have a couple of mail servers that I wanted certs for, so I installed apache2, then set it up for the server name plus a couple of aliases.

<code bash>certbot certonly --authenticator webroot -w /var/www/html --cert-name myserver.example.com -d smtp.example.com,mail.example.com,myserver.example.com</code>

This creates a certificate named myserver.example.com, with the names smtp, mail and myserver (yes, you have to add that if you want it on the cert). That cert will be located in /etc/letsencrypt/live/myserver.example.com/, a the certificate is valid for all three names.

==== Editing an alias from a cert ====

The above syntax allows you to add/delete aliases from an existing certificate. Simply rerun with the way you want the certificate to look. So, for example, if I wanted to remove the mail alias and add a dovecot alias, I'd do the following.
<code bash>
<code bash>certbot certonly --authenticator webroot -w /var/www/html --cert-name myserver.example.com -d smtp.example.com,dovecot.example.com,myserver.example.com</code>

certbot will ask you if you really want to do this, and then it will do it.


===== Setting up smtp and imap =====

My favorite server is postfix for smtp and dovecot for imap/imaps, so this will cover that. Once you have your certificates downloaded, do the following:

==== postfix ====
postfix has a great cli tool named postconf which allows you to modify the configuration from the cli, so I'll use that here. This assumes you have the certs installed.

Basically, we'll create a symbolic link from the postfix directory (/etc/postfix on Devuan) and point to the live certs in the letsencrypt live directory.

Why not simply point to letsencrypt directly? Because, we'll use the same link with dovecot later, so we'll just point both of them to the same symbolic link.

<code bash>
# link the cert
ln -s /etc/letsencrypt/live/myserver.example.com/fullchain.pem /etc/postfix/smtpd.cert
# and the private key
ln -s /etc/letsencrypt/live/myserver.example.com/privkey.pem /etc/postfix/smtpd.key
# add them to postfix
postconf -e smtpd_tls_cert_file=/etc/postfix/smtpd.cert
postconf -e smtpd_tls_key_file=/etc/postfix/smtpd.key
# restart postfix
service postfix reload
</code>

==== dovecot ====

I'm sure there is an easier way to do this, but I just edit /etc/dovecot/dovecot.conf. I understand that Debian goes crazy with the conf.d, but I use a lot of ISPConfig stuff (which doesn't use that), and honestly I think it makes life more difficult.

Basically, just add the following two lines in the base config. This uses the same certs as postfix

<code>
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
</code>

Now, restart dovecot

<code bash>
service dovecot restart
# watch for any errors, ^c to break out of tail -f
tail -f /var/log/mail.log
</code>