Installing Let’s Encrypt Certificates in Carbonio

Let’s Encrypt certificates are popular among system administrators because they are free and have a handy toolkit to obtain them. Despite the short period of validity of such certificates, the advantages of using them far outweigh the disadvantages of having to renew them every three months. In this article, we’ll show you how a Carbonio administrator can install Let’s Encrypt certificates using the built-in mail server tools.

This article is suitable for users of the commercial version of Carbonio, and also partially for users of Carbonio Community Edition.

In the recent Carbonio 23.05 update, the developers have removed the possibility of insecure login to the mail server. Now you must have an SSL certificate to log in to the web client or the admin console. When you install Carbonio, a self-signed certificate is automatically generated for a period of 5 years. It is issued to the public hostname of the mail server, which is specified during installation and has a lot of restrictions.

For example, a self-signed certificate will result in a browser warning when the user tries to log in to the web client, and will also make it impossible to connect to the Carbonio server using the mobile app. There are more subtle limitations as well. For example, to get free/busy status in Outlook, the requirement for a valid certificate on the server is mandatory.

Since Carbonio is a multi-tenant solution that supports the creation of multiple mail domains and virtual hosts to access them, the administrator may need to install a separate certificate for each of them. The easiest way is to install certificates in the admin console.

Installing a certificate in the admin console

Adding virtual host names for mail domains is done on the “Domains” tab of the Administrator Console. The administrator needs to select the desired domain from the drop-down list.

After selecting the domain, go to the “Virtual hosts and certificates” section. Here the administrator can assign virtual host names to the mail domain, as well as install certificates for these names.

Please note that the virtual host name must contain the name of the mail domain. For example, if your domain is called example.ru, then you can use mail.example.ru or carbonio.example.ru as the virtual host name, but, for example, example.carbonio.ru will not work.

If you use several virtual host names to access one mail domain, you should install a wildcard certificate. Such an SSL certificate covers not only a specific domain name, but also subdomains. For example, if one certificate with the corresponding name is enough for the mail.example.ru domain name, then the *.example.ru wildcard certificate is required for the mail.example.ru and carbonio.example.ru domain names.

After creating a domain name, select it and click on the “Upload and Verify Certificate” button. In the window that opens, you can download files containing certificates from the device disk.

In total, the user needs to download three files, including the certificate for the domain name itself, the chain of certificates of certification authorities, and the private key that will be used when establishing a secure connection. We draw attention to the importance of having access rights to files with certificates. After the files have been successfully uploaded, their contents are displayed in the corresponding fields.

Click the “Verify” button to verify the downloaded data before installation. If everything is in order, a notification about the correctness of the uploaded data will be displayed, and the inscription on the button will change to “I want to use this certificate”. Clicking on it will install the certificate.

After the installation of the certificate for the domain is completed, the corresponding page will look like this.

Installing a certificate by a delegated administrator

The main disadvantage of Let’s Encrypt certificates is their short validity period, which is three months. If the mail system has several dozen domains, regularly updating certificates can become a burdensome task for the administrator. The commercial version supports delegation of administration rights to a specific domain. A global administrator can appoint one of the users as a domain administrator, after which he will be able to manage users in this domain, as well as independently create virtual host names and update the SSL certificate for it.

The process of installing a certificate for a delegated user differs from the corresponding process for a global administrator only in that at the stage of choosing a domain, he can choose not from all domains in the system, but only from those for which he has been delegated rights.

Note that the change of the certificate and all changes that are made to the settings of the virtual hosts of the domain take effect after the Proxy node is restarted. Since rebooting servers is available only to the system administrator, the delegated administrator should coordinate with the global administrator the work to renew the domain certificate.

For questions about testing, purchasing, granting a license and consultations, please contact by mail sales@svzcloud.ru to the exclusive partner Zextras.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *