Creating SSL Certificates with Let's Encrypt

Let's Encrypt offers is a free and convenient way of generating SSL certificates that are trusted by most browsers and servers. It provides several benefits when compared to a traditional CA:

  • They are free - Yup. These certificates are 100% free.
  • They are convenient - Certificates are created programmatically with very little human interaction. There is no need to submit CSRs and wait for an email for approval. Generated certificates are downloaded and installed automatically in the background.
  • Supports multiple SAN - These certificates support multiple SANs (Subject Alternate Name), allowing multiple host names.

Certificates from Let's Encrypt are only valid for 90 days. Therefore, they need to be recreated more frequently. This is usually not a problem since Xeams will automatically create them a few days before their expiration.

This page contains step-by-step instructions on how to create these certificates.

Step-by-Step Instructions

  1. Log into Xeams as an administrator.
  2. Click Server Configuration/Manage SSL Certificate
  3. Click Create a New Certificate button under Option 1
  4. Xeams will attempt to fetch the FQDN for your network and will display that in the Hostname field. Change this value if required.

  5. Let's Encrypt needs to validate the ownership of the hostname before issuing a certificate. This is called satisfying a challenge. Click here for further details. The following challenge type are supported by Xeams.

    • HTTP - Using Xeams

      In this case, a plain text file is placed in a pre-determined folder on the Xeams HTTP server. Then, Let's Encrypt tries to fetch this file using port 80. The challenge is considered met if the file can be pulled using the hostname you want the certificate for.

      Therefore, you must configure Xeams to listen on port 80 for this to work. Additionally, you must configure your network firewall to route traffic for this port to the machine where Xeams is running.

      Often, administrators are reluctant to open port 80 on their firewall. It is essential to remember that opening port 80 is no different than opening port 443. Refer to this page for details.

    • HTTP - Other

      Use this option if port 80 is occupied by any other server running on the same machine. In this case, you must specify the Root Path for the HTTP server where files are stored. For example, if you're using an IIS server on the same machine, this value will be something like: C:\Inetpub\wwwroot. In this case, IIS will serve the challenge file expected by Let's Encrypt.

    • DNS

      Use this option if port 80 is not available. In this case, you will must add a TXT record to your DNS server. Since a certificate from Let's Encrypt is renewed every ninety days, you must repeatedly modify the entry in the DNS server. For this reason, we recommend using the HTTP option over DNS.

  6. Click Submit. The following page will display the Terms of Conditions for Let's Encrypt.
  7. Finally, click Proceed to issue the certificate.

Certificate Renewals

Certificates from Let's Encrypt are only valid for 90 days. Therefore, they must be renewed before expiration. Once the initial setup is complete, Xeams will automatically renew them without human intervention, provided you're using the HTTP challenge. It will also send an email to the administrator once it is renewed.

A restart is required to apply the new certificate. By default, Xeams will not restart itself. This is done by design to avoid email interruptions during business hours. Therefore, administrators will have to restart Xeams manually.

You can change the above behavior by adding the following line in server.properties file. 

auto.restart.after.renewing.cert=true

Multiple Hostnames

An SSL certificate is specific to a hostname, which is different from your email's domain name. For example, if you have multiple domain names like:

  • domain-one.com
  • domain-two.com

You can point the MX records for both domains to mail.my-domain.com. In such a case, you will only need one certificate for mail.my-domain.com

If you need more than one hostname, separating them with a pipe character will create a certificate with multiple Subject Alternate Names (SAN). For example, using mail.example.com|smtp.my-company.com for the Hostname field will create a certificate for both names.