PROBLEM
The pre-installed self-signed certificates are not trusted by the browser. Where do I add my own trusted certificates?
ENVIRONMENT
- atmail suite
- atmail mail server
CAUSE
Certificates used during installation are self singed certificates.
RESOLUTION
A new certificate will need to be generated or purchased. The same certificate can be used for IMAP, POP, HTTPS, and SMTP. Please save this certificate on the server and follow this guide to configure the appropriate applications to use the new certificate. For the sake of this guide, we will assume that the new key is called new-cert.key and new-cert.pem
Nginx certificate setup (webmail)
- Open the nginx config file.
vi /etc/nginx/conf.d/atmail.conf
The default config should look similar to this.server { listen 443 http2 ssl; server_name _; error_log /var/log/nginx/atmail_error; access_log /var/log/nginx/atmail_access; gzip on; gzip_types text/plain application/xml application/json application/javascript text/css; ssl_certificate_key /etc/pki/nginx/private/atmail.key; ssl_certificate /etc/pki/nginx/certs/atmail.pem; # ssl_trusted_certificate /etc/pki/nginx/certs/letsencrypt_ca.pem; ...
Edit the the ssl_certificate_key and ssl_certificate to point to your certificates.
ssl_certificate_key /etc/pki/nginx/private/new-cert.key;
ssl_certificate /etc/pki/nginx/certs/new-cert.pem; - Open the atmail DAV config file.
vi /etc/nginx/conf.d/atmail-dav.conf
The default config should look similar to this.server {
listen 0.0.0.0:8008;
listen 0.0.0.0:8443 ssl;
server_name _;
keepalive_timeout 10;
error_log /var/log/nginx/dav_errors.log;
root /usr/share/atmail/dav/html/;
index server.php;
rewrite ^/.well-known/caldav /calendars redirect;
rewrite ^/.well-known/carddav /addressbooks redirect;
location / {
try_files $uri $uri/ /server.php?$args;
}
client_max_body_size 100M;
ssl_certificate /etc/pki/nginx/certs/atmail.pem;
ssl_certificate_key /etc/pki/nginx/private/atmail.key;
...Edit the the ssl_certificate_key and ssl_certificate to point to your certificates.
ssl_certificate_key /etc/pki/nginx/private/new-cert.key;
ssl_certificate /etc/pki/nginx/certs/new-cert.pem; - Place the new certificate key for nginx in the /etc/pki/nginx/private and change its ownership:
chown root:nginx /etc/pki/nginx/private/new-cert.key
- Now change its permissions.
chmod 0640 /etc/pki/nginx/private/new-cert.key
- Place the new certificate pem file in the /etc/pki/nginx/certs directory and change its ownership:
chown root:root /etc/pki/nginx/certs/new-cert.pem
- Now change its permissions.
chmod 0444 /etc/pki/nginx/certs/new-cert.pem
- Restart nginx and apiserver.
systemctl restart nginx apiserver
IMAP/POP setup
- Place the new certificate key for dovecot in the /etc/pki/dovecot/private directory and change its ownership:
chown root:root /etc/pki/dovecot/private/new-cert.key
- Now change its permissions.
chmod 0640 /etc/pki/dovecot/private/new-cert.key
- Place the new certificate pem file for dovecot in the /etc/pki/dovecot/certs directory and change its ownership.
chown root:root /etc/pki/dovecot/certs/new-cert.pem
- Now change its permissions.
chmod 0444 /etc/pki/dovecot/certs/new-cert.pem
- In the admin portal, navigate to Services -> POP3/IMAP and add the paths to the certificate and key file.
- Click on Save settings and Publish config to save the changes
SMTP setup
- Make a private and certs directory in the exim directory,
mkdir /etc/pki/exim/private /etc/pki/exim/certs
- Place the new certificate key for exim in the /etc/pki/exim/private directory and change its ownership.
chown root:exim /etc/pki/exim/private/new-cert.key
- Now change its permissions.
chmod 0640 /etc/pki/exim/private/new-cert.key
- Place the new certificate pem for exim in the /etc/pki/exim/certs directory and change its ownership.
chown root:root /etc/pki/exim/certs/new-cert.pem
- Now change its ownership.
chmod 0444 /etc/pki/exim/certs/new-cert.pem
- In the admin portal, navigate to Services -> SMTP and add the paths to the certificate and key file
- Click on Save settings and Publish config to save the changes
Comments