SSL certificates have always been pricey stuff, but since Letsencrypt offered free valid SSL certificates, there is more excuse NOT to run HTTPS traffic on your site, in this case, mail server (webmail). The good part, you get a free valid ssl certificate, the bad part, ssl certificate is only valid for 90 days. So, let’s start. First, we need to install Letsencrypt:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt cd /opt/letsencrypt ./letsencrypt-auto --help
Now we need to create an actual certificate. In order for this step to be a success, you MUST stop both HTTP and HTTPS service in your Kerio Connect installation:
./letsencrypt-auto certonly --standalone -d mail.sefnet.local
Note that you need to replace mail.sefnet.local with your actual mail server address!
Now you can start HTTP and HTTPS services again. The next step should work on most Kerio Connect installations, unfortunately, it did not on mine, so I had to import certificate manually.
ln -s /etc/letsencrypt/live/mail.sefnet.local/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt ln -s /etc/letsencrypt/live/mail.sefnet.local/privkey.pem /opt/kerio/mailserver/sslcert/mail.key
Now go to Kerio Connect admin panel and select SSL Certificates. If you can see your new certificate, you do not need to do anything else, otherwise, copy crt and key files out of your mail server, and then import them manually through the admin panel.
To renew SSL certificate just run the following command:
./letsencrypt-auto certonly --keep-until-expiring -d mail.sefnet.local
Remember to use the actual address of your mail server!