Overview

This article provides information on how to successfully deploy Let’s Encrypt SSL certificate in Kerio Connect.

Prerequisites

• Kerio Connect installed on any Debian-based distro (e.g., Ubuntu, Debian)
• Access to Kerio Connect Webadmin and server

Process

1. Modify HTTP/HTTPS services to start manually on 8800 and 8843 ports. Standard 80/443 ports will be used by Let’s Encrypt. Certbot needs ports 80 and 443 to verify the domain and get the certificate.
   
   
   
   
   
2. Create a webroot directory using the following commands:
   mkdir -p /var/www/mail
chown www-data:www-data /var/www/mail
   
   
   
3. Install Nginx and SSL-cert packages with the following command:
   sudo apt-get install nginx ssl-cert
   
   
   
   
   
4. Create a file called /etc/nginx/sites-available/kerio-connect.conf with the content below. In the following command, we use the Nano text editor; you can use any other editor.
   
   nano kerio-connect.conf
   
   

    server {
        listen      80;
        server_name <mail.example.com>;
        server_name_in_redirect off;
        rewrite     ^ https://$server_name$request_uri? permanent;
    }
   
   
    server {
        listen      443 ssl;
        server_name <mail.example.com>;
   
        ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
   
        location /.well-known {
            alias /var/www/mail/.well-known;
        }
   
   
        location / {
            proxy_pass       https://localhost:8843;
            proxy_set_header Host                 $host;
            proxy_set_header X-Real-IP            $remote_addr;
            proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
            proxy_set_header X-Remote-Port        $remote_port;
            proxy_set_header X-Forwarded-Proto    $scheme;
            proxy_redirect  off;
        }
   
    }

   
   Note: Replace <mail.example.com> with your real Kerio Connect hostname.
5. Link the file to make it an active site:
   ln -s /etc/nginx/sites-available/kerio-connect.conf /etc/nginx/sites-enabled/kerio-connect.conf
   
   
   
   
6. Check if the configuration is correct. If no errors, then restart the Nginx service.
   nginx -t
systemctl restart nginx.service
   
   
   
   
7. Get Certbot - pull the Certbot file and make it executable by running the following commands:
   wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
   
   
8. Run it once without any parameters for dependencies check:
   ./certbot-auto
   
   
   
   
9. Once prompted, confirm your email address, hostname, etc.
   If everything is correct, you should see Congratulations! message at the end.
   
   
   
   
   
10. Create a certificate. Replace <mail.example.com> with your hostname.
    ./certbot-auto certonly --webroot -w /var/www/mail -d <mail.example.com>
    
    
    
11. Link Let's Encrypt certificate to Kerio Connect sslcert folder:
    
    ln -s /etc/letsencrypt/live/<mail.example.com>/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt

ln -s /etc/letsencrypt/live/<mail.example.com>/privkey.pem /opt/kerio/mailserver/sslcert/mail.key
    
    
    
    
12. Log in to Kerio Connect Webadmin, navigate to Configuration > SSL Certificates to check Let’s Encrypt SSL certificate. Right-click on the required certificate and set it as Default. 
    
    
    
    
    
13. (Optional) If you are not able to see Let’s Encrypt certificate, try restarting Kerio Connect service:
    service kerio-connect restart
    
    
    
14. To renew Let’s Encrypt SSL certificate, run the following command:
    ./certbot-auto renew
    
    
    
15. Let’s Encrypt certificates expire every 90 days, so it is better to automate renewal by creating a simple bash script and cron task.
    
    1. Copy certbot to /usr/local/bin folder:
       cp certbot-auto /usr/local/bin/
       
       
       
       
    2. Create a script file /root/certbot-post-hook.sh with the following content:
       nano certbot-post-hook.sh
       
       

       #!/bin/sh
       systemctl restart nginx.service
       systemctl restart kerio-connect.service

       
       
       
       
    3. Make it executable and secure it:
       chmod 500 /root/certbot-post-hook.sh
chown root:root /root/certbot-post-hook.sh
       
       
    4. Create a cronjob file in /etc/cron.d/certbot folder with the following content:
       
       

       SHELL=/bin/sh 
       PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
       
       0 3 * * * root perl -e 'sleep int(rand(3600))' && certbot-auto -q renew --post-hook "/root/certbot-post-hook.sh"

       
       
       
       
    5. This entry will run once a day at 3:00 AM as root, sleep for a random number of minutes, and run Certbot. The --post-hook parameter is executed only if the certificate was replaced, effectively restarting Nginx and Kerio Connect only when needed.

Confirmation

SSL certificate signed by CA (certificate authority - Let's Encrypt) should be successfully deployed to your Kerio Connect.