Setting up Let's Encrypt for Halon
Let's Encrypt offers a convenient way to enable SSL certificates for Halon as well as the web administration, ensuring automatic certificate renewal. Setting up Let's Encrypt for Halon is pretty straightforward, and you can start by following the official Certbot instructions to set up the basic requirements needed.
smtpd
For the smtpd process, you will need to incorporate the SSL certificates into both the startup and running configurations to avoid having to restart the service when Certbot renews the certificates:
pki:
private:
- id: mx.example.com
privatekey:
path: /etc/letsencrypt/live/mx.example.com/privkey.pem
pki:
private:
- certificate:
path: /etc/letsencrypt/live/mx.example.com/fullchain.pem
id: mx.example.com
halon-web
To enable Let's Encrypt for the web component, ensure you have halon-web installed on your server. Then, set up the SSL certificate by adding it to the pki
directive for the listener:
- pki:
certificate:
path: /etc/letsencrypt/live/mx.example.com/fullchain.pem
privatekey:
path: /etc/letsencrypt/live/mx.example.com/privkey.pem
Renewal
It is important to enable the renewal hook for Certbot to ensure that services are restarted during certificate renewal, and the new certificates are loaded into the configuration. If your web server exclusively uses port 443 for HTTPS, you can opt for the standalone authentication method. This method is suitable when no other web server or service occupies port 80:
# renew_before_expiry = 30 days
version = x.x.x
archive_dir = /etc/letsencrypt/archive/mx.example.com
cert = /etc/letsencrypt/live/mx.example.com/cert.pem
privkey = /etc/letsencrypt/live/mx.example.com/privkey.pem
chain = /etc/letsencrypt/live/mx.example.com/chain.pem
fullchain = /etc/letsencrypt/live/mx.example.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = ...
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = systemctl restart halon-web; systemctl reload halon-smtpd
reuse_key = True
However, if halon-web uses port 80 or you wish to minimize downtime, you should consider using the webroot authentication method instead. For halon-web the webroot path is /opt/halon/web/node_modules/@halon/web-frontend/dist
.
To verify the automatic renewal process for the certificate(s), you can perform a dry run by using the following command:
sudo certbot renew --dry-run