Hello guys,
After 23.7.4 version came out, I started to test Let's Encrypt certificate generation and deployment. As you already may know you MUST add a virtualhost to the domain you wanna add a certificate to, so those are the steps I'm doing right now:
1 - Go to the "Virtual Host & Certificates" and add a Virtual Host Name;
2 - Select "UPLOAD AND VERIFY CERTIFICATE";
3 - Click on "Certificate type" and pick "I want to use a Let's Encrypt (longChain) certificate;
4 - Wait like 2 minutes so it requests and generates the certificate;
5 - Go to the terminal as zextras user and run:
zmconfigdctl reload zmproxyctl reload
That's it.
FTR it requests and deploys a certificate done for the "maindomain + virtualhost"
But here comes my questions
1 - why do we need to reload those services manually to make it work?
2 - are those certificate being renewed automatically by Carbonio?
3 - if so, do we need to reload those services manually when the time comes?
Finally but not less important: am I doing this right? =)
Any comments would be very welcome.
Hi, @anahuac ! I use https://nginxproxymanager.com/ for my Carbonio Mail Server and other web services on my network and provide SSL on the reverse proxy side. This is a good scheme to manage SSL from one point and not have to configure it everywhere on web servers.
I'm not advocating anything, just sharing my experience. In the case of a single installation of Carbonio CE, this may be redundant, but for a company network, it should be.
@max I also use https://nginxproxymanager.com for many other situations, but not to Mail servers and the main reason is because root certificates, the ones used by IMAP/PÒP and SMTP are not served by the Proxy... and this use to cause many issues with Outlook.
So, I rather work certificates in the same Carbonio server and I am used to do it via scripts and it always worked well.... not I'm testing this new Carbonio certificate management to figure how it works and see it it may replace my scripts or not =)
Thank you very much for sharing with us.
@anahuac, yes, you are a democratic administrator, and I am a totalitarian: no Outlook, no POP3 and IMAP, no other email clients except for the web interface and the Carbonio mobile application. For SMTP, I have been using Proxmox Mail Gateway for a long time and there is Lets Encypt.
For more democratic usage patterns, of course, SSL should work on the Carbonio server.