Proxmox Mail Gateway + Letsencrypt

[calocen]

A tiny recipe to use letsencrypt certificates with Proxmox Mail Gateway 5.0
Previously update / dist-upgrade your host and create a backup of /etc folder

Install letsencrypt certbot

apt-get install -y certbot

Install a new certificate

certbot --authenticator standalone certonly -d $(hostname -f) --agree-tos

Jump to new certificate and replace selfsigned pmg

pushd /etc/letsencrypt/live/$(hostname -f)
cat privkey.pem cert.pem > /etc/pmg/pmg-api.pem
cp fullchain.pem /etc/pmg/pmg-tls.pem

Restart service

service pmgproxy restart

login in a new tab, don't reload.

[EDIT]
This line was a typo: cp privkey.pem /etc/pmg/pmg-authkey.key

 

[Juliano Silva]

Error

Connection error 401 permission danied invalid PMG ticket

 

[tom]

A tiny recipe to use letsencrypt certificates with Proxmox Mail Gateway 5.0
Previously update / dist-upgrade your host and create a backup of /etc folder

Install letsencrypt certbot

apt-get install -y certbot

Install a new certificate

certbot --authenticator standalone certonly -d $(hostname -f) --agree-tos

Jump to new certificate and replace selfsigned pmg

pushd /etc/letsencrypt/live/$(hostname -f)
cat privkey.pem cert.pem > /etc/pmg/pmg-api.pem
cp privkey.pem /etc/pmg/pmg-authkey.key
cp fullchain.pem /etc/pmg/pmg-tls.pem

Restart service

service pmgproxy restart

login in a new tab, don't reload.

This howto looks wrong to me, I cannot see that TLS on postfix can work with this.

 

[Juliano Silva]

This howto looks wrong to me, I cannot see that TLS on postfix can work with this.

This error now I have to reinstall my PMG,

 

[calocen]

I'm very sorry. I've made a mistake including the line about pmg-authkey.key.

 

[Juliano Silva]

I'm very sorry. I've made a mistake including the line about pmg-authkey.key.

Now I have to reinstall my PMG..

What is the correct command now to install Letsencrypt

 

[Juliano Silva]

A tiny recipe to use letsencrypt certificates with Proxmox Mail Gateway 5.0
Previously update / dist-upgrade your host and create a backup of /etc folder

Install letsencrypt certbot

apt-get install -y certbot

Install a new certificate

certbot --authenticator standalone certonly -d $(hostname -f) --agree-tos

Jump to new certificate and replace selfsigned pmg

pushd /etc/letsencrypt/live/$(hostname -f)
cat privkey.pem cert.pem > /etc/pmg/pmg-api.pem
# [EDIT] This line was a typo: cp privkey.pem /etc/pmg/pmg-authkey.key
cp fullchain.pem /etc/pmg/pmg-tls.pem

Restart service

service pmgproxy restart

login in a new tab, don't reload.

This command does not need to run correct?
cp privkey.pem /etc/pmg/pmg-authkey.key

 

[calocen]

This command does not need to run correct?
cp privkey.pem /etc/pmg/pmg-authkey.key

I've edited original message with a line less

 

[tom]

I've edited original message with a line less

Also this is wrong to me.

(=> cp fullchain.pem /etc/pmg/pmg-tls.pem)

 

[Juliano Silva]

A tiny recipe to use letsencrypt certificates with Proxmox Mail Gateway 5.0
Previously update / dist-upgrade your host and create a backup of /etc folder

Install letsencrypt certbot

apt-get install -y certbot

Install a new certificate

certbot --authenticator standalone certonly -d $(hostname -f) --agree-tos

Jump to new certificate and replace selfsigned pmg

pushd /etc/letsencrypt/live/$(hostname -f)
cat privkey.pem cert.pem > /etc/pmg/pmg-api.pem
cp fullchain.pem /etc/pmg/pmg-tls.pem

Restart service

service pmgproxy restart

login in a new tab, don't reload.

[EDIT]
This line was a typo: cp privkey.pem /etc/pmg/pmg-authkey.key

Hi

letsencrypt renews ssl automatic ?

 

[Jerico815]

Hi

letsencrypt renews ssl automatic ?

You have to create a cronjob.

 

[ChFin]

You have to create a cronjob.

The debian (stretch) package comes with a cron job and a systemd timer.

The cron job won't execute the renew command when you are running systemd (if /run/systemd/system is detected). It's done via certbot.timer
Edit certbot.service (/lib/systemd/system/certbot.service), i.e. preferred challenges, post-hook script & put your copy/restart commands in a post-hook script.
Make sure certbot.timer is started.

 

[Christian Thiele]

It works well for the surface. Unfortunately not at all with TLS.

cp fullchain.pem /etc/pmg/pmg-tls.pem

 

[tom]

It works well for the surface. Unfortunately not at all with TLS.

cp fullchain.pem /etc/pmg/pmg-tls.pem

I already wrote that this howto is wrong, please do not use it.

Instead, see:
https://forum.proxmox.com/threads/how-to-lets-encrypt-and-pmg.41493/