lets encrypt and kopano-server

thctlo

Hai,

For some reason im always having problems reading the docs.
so iam setting up a server with letsencrypt certificates.
i’ve installed latest version from communti downloads. 11.x
im configuring the server.cfg and see…

#server_listen_tls = 
#server_ssl_key_file = 
#server_ssl_key_pass =
#server_ssl_ca_file = /etc/kopano/ssl/cacert.pem
#server_ssl_ca_path =
#server_tls_min_proto = tls1.2
# Path of SSL Public keys of clients
#sslkeys_path = /etc/kopano/sslkeys

so i put the server.key in server_ssl_key_file= but no server_ssl_cert option?
What am i missing here, or should i script somegain to make this work with letsencrypt… pointing to :
server+key files need in 1 for server_ssl_key_file
Which is not really handy in my opinion.

the instructions here.
https://kb.kopano.io/display/WIKI/Kopano+One+on+Debian+10+-+quick+installation+instructions
here
https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#ssl-connections-and-certificates
and here ( the test ssl certs, thats nice tool to know … )
https://kb.kopano.io/display/WIKI/Generate+TLS+testing+keys

but these instructions are all different and does not make it easier to configure this.

so, my question…
whats the best ways to use letsencrypt and what’s preffered set to enable SSL/TLS on port 237

Pax

Hi,
are you aware that the settings your are modifying are used for internal communication of the Kopano services? If so, Im not sure about the benefit as self signed certs are as good as officials. (Only external programm I know which communicates over 236/237 is Outlook with Zarafa MAPI client. But Im not sure if Outlook accepts Lets Encrypt as trusted certs)

On my server Im using Lets Encrypt certs within the Apache Webserver which serves the Webapp and Z-Push. So users dont see the nasty warning message while browsing into Webapp.

If this is what you want to achieve, there is a program called certbot which does everything for you. Modify the webservers config and periodically renew the certificates
https://certbot.eff.org/lets-encrypt/debianbuster-apache

thctlo

@pax thats exacly my point… and thanks for the reply…

So yeah, Outlook connect to port 237 and yes i know it does accept let’s encrypt certs.

And i also seen : https://certbot.eff.org/lets-encrypt/debianbuster-apache
And that is using snapd, and om not installing snapd, i stay within the regular debian repo and packages.
but yes, i do have letencrypt installed already.

fbartels

The problem with adding the letsencrypt certificate to kopano-server is that to update the certificate the server process needs to be restarted (which purges caches). To avoid this one could proxy these kind of connections (path is /kopano afair) through a webserver which handles ssl.

Pax

@fbartels said in lets encrypt and kopano-server:

The problem with adding the letsencrypt certificate to kopano-server is that to update the certificate the server process needs to be restarted (which purges caches). To avoid this one could proxy these kind of connections (path is /kopano afair) through a webserver which handles ssl.

thus and scripting needed to get a full keychain after the certs are renewed. You need to combine the fullchain.pem and privkey.pem into one and afterwards restart Kopano-Server or proxy.

Dunno if this is an option for you. If you are using MS Active Directory you could publish a self signed cert via GPO. I did this in the past with Zarafa
https://support.securly.com/hc/en-us/articles/206688537-How-to-push-the-Securly-SSL-certificate-with-Active-Directory-GPO-

thctlo

@fbartels ah, yes, how stupid of me, totaly forgot about that.
Thank on that reminder…
@Pax yes, i already publish my internal CAroot with GPO to my computers.

Its just that.
if you “just” folllow the manuals, its (still) not clear enough what/how things are used for.
im following the documentation.kopano.io and sorry @kopano , it still needs a lot of improvement.
im a fan of kopano, really, but documentation just “still” sucks. (sorry for the language).

thctlo

and also, already showed this before… still not in kopano and without it you still get unneeded errors in your logs…

The startup order of kopana services for example.
kopano-server.service

Before=kopano-dagent.service kopano-gateway.service kopano-ical.service kopano-monitor.service kopano-search.service kopano-spamd.service kopano-spooler.service
After=network.target mysql.service mariadb.service postfix.service exim.service

kopano-search.service
After=kopano-server.service

to show 2 (again)…