how to use lets encrypt with mail-in-a-box

Because I decided to add multiple sub-domains to better administer libertatum.net (e.g. blog, www) this meant the single ssl certification I had was insufficent, and now that LetsEncrypt is live, time to https all the things!

Install LetsEncrypt (running ./letsencrypt-auto –help installs letsencrypt)

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help

Turn off nginx

$ sudo service nginx stop

Generate certificates for the domain and each subdomain

$ /letsencrypt-auto certonly --standalone \
  -d libertatum.net \
  -d box.libertatum.net \
  -d blog.libertatum.net \
  -d www.libertatum.net

That generates the certificates in /etc/letsencrypt/live/libertatum.net/:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Mail-in-a-box uses box.libertatum.net by default, thus the certs for that subdomain belong in /home/user-data/ssl/, however for all the other domains a directory will need to be created:

$ sudo mkdir /home/user-data/ssl/{libertatum.net,blog.libertatum.net,www.libertatum.net}

Symlink ssl_certificate.pem and privkey.pem files to the right places:

$ sudo ln -s /etc/letsencrypt/live/libertatum.net/fullchain.pem \
  /home/user-data/ssl/libertatum.net/ssl_certificate.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/privkey.pem \
  /home/user-data/ssl/libertatum.net/ssl_private_key.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/fullchain.pem \
  /home/user-data/ssl/www.libertatum.net/ssl_certificate.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/privkey.pem \
  /home/user-data/ssl/www.libertatum.net/ssl_private_key.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/fullchain.pem \
  /home/user-data/ssl/blog.libertatum.net/ssl_certificate.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/privkey.pem \
  /home/user-data/ssl/blog.libertatum.net/ssl_private_key.pem

Restart nginx and bask in the glory of secure http!

$ sudo service nginx start

hello world 2: how I rebuilt my website

So I have been tinkering with my single-point-of-‘net-presence; while it doesn’t look any different from here (which is sort of the point) I have been figuring out how to integrate mail (see my mail-in-a-box post) and this humble site into one easy to manage package. As it turns out, mail-in-a-box already runs nginx to provide a static web service. I am now hosting this on a legitimate host (DigitalOcean) and I have SSL certs!

food & drink recipes

I really love to eat and drink. /recipes will be where I keep whatever I find or come up with. Checkout the Naked & Famous or my wife’s favourite, Parlay in the Parlour.

what I am doing this weekend: mail-in-a-box

I am an Android guy. Not because it is ‘better’ than the alternatives, but because it is more apt for messing around with than other alternatives currently available (though I am looking forward to getting to play with the Ubuntu Phone). I like Google and I understand the attractiveness of outsourcing email, but I want to control as much of my online presence as possible and do it as simply as possible (see my first post). I am getting a new phone soon (Sony Xperia Z3 Compact) to address battery issues with my current phone (Nexus 4) but since the phone works fine otherwise, I will be able to tinker with it. So I installed a nightly release of CyanogenMod 12 on the phone without any Google-cruft. My plan is to create my own personal cloud and access it with as open a device as possible. If not, why not?

Whatever form my mail server was going to take in the end, I wanted to make sure it would be as close to the Popeil Standard (Set it, and Forget it!) as possible. This is not my first rodeo when it comes to hosting my own mail, and I had decided on some mix of the following:

  • postfix, dovecot, cyrus
  • spamassasin or spamd
  • mySQL and LDAP for virtual users (I don’t want to create a bunch of actual users and have to deal with denying access &c.)
  • opendkim for authentication
  • webmail via roundcube
  • ownCloud for CalDav/WebDAV

So you can imagine how happy I was to discover Mail-in-a-Box. Yep, basically everything I want, all scripted and ready to run. Seriously, this is what I needed. I can use the git repo to start from and build out what I had in mind.

hello world: or how I built my website

I wanted a simple web presence, mostly as an exercise but partly as a space to post thoughts and notes that I will find useful in the future, and perhaps others may find useful. In this vein this post will cover what I did to build this site, the rationalization behind my choices, and any other bits about the process that I think are interesting.

building the server

For the sake of rapidity, I prototyped the website on an Openstack instance in a cloud using a ‘tiny’ Ubuntu 14.04 (Trusty Tahr) image. I installed the following packages, required for getting the site up:

  • ruby
  • ruby-dev
  • nodejs

building the site

This was wickedly simple. On my local system (OS X) I built the local site repository using jekyll, which will also allow us to generate the content locally for review before committing.

$ jekyll new wrldswrst.ninja && cd wrldswrst.ninja
$ git init
$ git add .
$ git commit -m "Initial commit"

On the web-server I will made a change to the nginx configuration, because I prefer to have my web content in /var/www/ and since I will be serving only html, my only site will be in /var/www/html. The config file is at /etc/nginx/sites-available/default. Configure as appropriate. Set the ownership of /var/www/ to your user (not root!). We will also need to install jekyll:

$ sudo gem install jekyll

Next, build the repo and initialize. This will be kept under my working account on the server (not root!).

$ cd ~/
$ mkdir repos && cd repos
$ mkdir wrldswrst.ninja.git && cd wrldswrst.ninja.git
$ git init --bare

Build ~/repos/wrldswrst.ninja.git/hooks/post-receive. This will clone the wrldswrst.ninja repository to a temp directory in ~/ then use jekyll to build the source to /var/www/html

#!/bin/bash -l
GIT_REPO=$HOME/repos/wrldswrst.ninja.git
TMP_GIT_CLONE=$HOME/tmp/git/wrldswrst.ninja
PUBLIC_WWW=/var/www/html

git clone $GIT_REPO $TMP_GIT_CLONE
jekyll build --source $TMP_GIT_CLONE --destination $PUBLIC_WWW
rm -Rf $TMP_GIT_CLONE
exit

Then set the script to executable.

Back on your local machine, add a remote repo called ‘web’:

$ git remote add web <user>@wrldswrst.ninja:~/repos/wrldswrst.ninja.git

making it all pretty

I really like Solarized, so I looked and found mattvh’s theme. Perfect, just cloned from git over my local jekyll directory, and made my modifications.

final thoughts

Really, that was all it was. I think it took more time to document this process than it did to actually do it. However, there is much more I want to do, not the least of which is a secure (https) certificate. Otherwise, I now have a very simple work-flow for publishing content using the tools I like, with a very simple code-base to maintain, with the help of my own git repo. Next I will work on automating the build, so it will be easy to migrate later.