Many modern browsers do not like self-signed SSL certificates. It has gotten to the point where they will even refuse to load the web page at all. Fortunately, there is a solution out there where you can get valid SSL certificates at no cost.
Enter Let's Encrypt ...
Let's Encrypt certificates are now and forever free of charge. They also automatically renew, so once they are setup you will never have to install new certificates.
Directly from the Let's Encrypt website:
"Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG)."
Let's Encrypt Principals:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol is published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Integration with Mailborder
Installing and setting up Let's Encrypt with Mailborder is simple and painless.
- First, a firewall entry must be created to allow verification from the Let's Encrypt servers. This requires that port 80, and only port 80, be allowed inbound from the Internet to the Mailborder server(s). This is how Let's Encrypt verifies domain ownership. Mailborder forces SSL/TLS connection for the GUI or API to load, so leaving port 80 open is not a security issue. If are unable or unwilling to open port 80 to the Mailborder server, you will need to install traditional SSL/TLS certificates.
- Next, install the Let's Encrypt package on each Mailborder server:
sudo apt install certbot python3-certbot-nginx
- Now run the Let's Encrypt Certbot. Follow the instructions. You will want to select certificates for your Master, Portal, and API. Do not redirect when asked. (See below)
sudo certbot --nginx --no-redirect
- Answer "No redirect" to this question. Mailborder already does this.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
This completes the installation. If you wish to also secure your SMTP connection with a valid TLS connection that does not use a self-signed certificate, see this article.