@ -37,7 +37,7 @@ add the following directives to the `myfirewall` chain in `/etc/nftables.conf`:
```
then make sure configuration has taken place by running:
```
nft -f /etc/nftables
nft -f /etc/nftables.conf
```
## set up domain name
@ -49,18 +49,26 @@ ping ${dnsname:?}
## get SSL certificates from letsencrypt
install certbot:
install acme.sh
```
apt install certbot
apt install socat
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install --home /usr/local/lib/acme-sh \
--config-home /etc/acme-sh \
--accountemail letsencrypt@mail.alemor.org
```
if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be `nft insert rule inet myfilter myfirewall tcp dport 80 accept` .
Then exit and relogin to refresh the bash hash
Get a certificate for your domain by running:
```
certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?}/ /srv/volumes/mailsrv/ssl/; chown -R 5000:5000 /srv/volumes/mailsrv/ssl" -d ${domain:?}
acme.sh --issue --alpn --pre-hook 'systemctl stop haproxy' \
--post-hook 'systemctl start haproxy' -d mailtest.alemor.org
acme.sh --install-cert -d mailtest.alemor.org \
--fullchain-file /srv/vol/mailsrv/ssl/fullchain.pem \
--key-file /srv/vol/mailsrv/ssl/key.pem
```
the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands.
## make users and aliases
