GreenArrow Email Software Documentation

Let’s Encrypt TLS Certificates

Automatic Configuration Recommended

This page describes a legacy method for configuring GreenArrow to use Let’s Encrypt TLS certificates. You’re welcome to continue using this page, but we recommend transitioning to our newer automatic configuration option.

Let’s Encrypt is a Certificate Authority that provides free TLS certificates and a protocol to automate TLS installation and renewal.

This page outlines the procedure to install Let’s Encrypt TLS certificates on GreenArrow’s HTTP server using certbot. Certbot is an ACME protocol client that can fetch and deploy TLS certificates from Let’s Encrypt.

Installing the Certbot client

The instructions to install the certbot client depend on your Linux distribution. When this document was written, Certbot was on version 0.33.0. The instructions in this document were based on that version of Certbot and may not be accurate for other versions.

There may be changes in Certbot’s procedure to create and manage certificates, so please refer to Certbot’s website for the latest installation instructions.

Creating and Installing the TLS Certificate

GreenArrow runs its own custom web server, so Certbot’s default Apache plugin can’t be used with GreenArrow. Follow the instructions for the standalone method to work with GreenArrow’s custom web server.

  1. Optionally make a backup the TLS configuration file so you can easily roll back the changes in case any mistakes are made.

  2. Follow Certbot’s instructions to create a new certificate. The standalone method works with GreenArrow’s custom webroot, which you’ll need to define in this step. GreenArrow’s webroot is /var/hvmail/apache/htdocs/.

    NOTE: This step may require accepting their terms of service and providing a notification email address.

  3. Add the certificate to GreenArrow’s TLS configuration file.

  4. Perform a graceful restart of GreenArrow’s web server.

  5. Check GreenArrow’s services to make sure the hvmail-httpd service is still running after your edits.

  6. Follow Certbot’s instructions for automatic renewal. You can use GreenArrow’s graceful Apache restart command in Certbot’s --deploy-hook option to reload the web server after renewal.

  7. Remove the TLS configuration file backup if one was created in step 1.

  8. Optionally update the certificates used to encrypt SMTP.

More Information

For more information on how to configure HTTP and HTTPS services in GreenArrow, check out the HTTP Server page.

For more information about Let’s Encrypt, visit their web page.

For more information about Certbot, visit their web page.

Copyright © 2012–2020 GreenArrow Email