Koozali – Single multi-domain SSL certificate using Let’s Encrypt

By telleropnul, June 27, 2016

Installation(Koozali SME server v9.x)

yum install git

Then download the dehydrated client:

cd /etc
git clone https://github.com/lukas2511/dehydrated
mv dehydrated/dehydrated /usr/local/bin/

You’ll need to create two configuration files for the dehydrated script to work.

cd dehydrated
mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
vi domains.txt

In this file, you’ll list every hostname that you want your certificate to cover, all on one line. It will look like this:

domain1.com www.domain1.com mail.domain1.com domain2.net www.domain2.net domain3.org ftp.domain3.org

Second, you’ll need to create the configuration file:

vi config

It should look like this:

# config
# CA="https://acme-staging.api.letsencrypt.org/directory"
# E-mail to use during the registration (default: <unset>)

For testing purposes, it’s recommended that you uncomment the third line (so it begins with “CA=”). Any certificates issued while testing will not be trusted, but they will also not count against your rate limits. Once your configuration is set, you can comment out that line and re-run dehydrated.

NOTE: I instead opted to use the default directory “/etc/dehydrated” for the location of “config” and “domains.txt”

You’ll need to create a custom “hook” script to set the config database up properly, and to trigger reloads of your system services when a certificate is issued or renewed.

vi /usr/local/bin/dehydrated

Its contents should look like this:


if [ $1 = "deploy_cert" ]; then
  /sbin/e-smith/db configuration setprop modSSL key $KEY
  /sbin/e-smith/db configuration setprop modSSL crt $CERT
  /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
  /sbin/e-smith/signal-event domain-modify
  /sbin/e-smith/signal-event email-update
  /sbin/e-smith/signal-event ibay-modify

If you have at least version 5.6.0-26 of e-smith-base installed (i.e., if you’ve installed updates since late January of 2016), replace the three signal-event lines with

 /sbin/e-smith/signal-event ssl-update

Then make it executable:

chmod +x /usr/local/bin/dehydrated-hook

You’ll also need to create a custom template fragment for Apache:

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
vi /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME

The contents of that file should look like:

# Alias for letsencrypt
Alias /.well-known/acme-challenge /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge

Expand the template and restart apache:

expand-template /etc/httpd/conf/httpd.conf
service httpd-e-smith restart

Now you’re ready to run dehydrated and get your certificate.

dehydrated -c

The script will run for a moment and should report success. If it does, look in /etc/dehydrated/certs/YOURDOMAIN and see if you have your files there. You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem). If you do, congratulations! You’ve successfully obtained your certificate. The hook script should have also configured your server to use the new certificate. To make sure, run

config show modSSL

and make sure there are values set for crt, key, and CertificateChainFile.

As above, once you’ve obtained your certificate and configured your server, test your server with a tool like SSLLabs.com to make sure it’s working properly.


Errors in the certificate files may prevent Apache and some other services from starting. If you previously had custom settings for modSSL, revert those with:

config setprop modSSL crt (old value)
config setprop modSSL key (old value)
config setprop modSSL CertificateChainFile (old value--if this property was empty, delete it using the command line below)

If you did not have custom settings for modSSL, remove your changes with:

config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile 

Once you’ve made these changes, force a renewal of the certificates (and update modSSL configuration):

dehydrated -c -x

To let the changes have effect:

signal-event post-upgrade
signal-event reboot

Renewal of the certificates

As part of the security of Letsencrypt the certificates must be renewed every 3 months. The process will differ depending on whether you’re using the official client or dehydrated.

Using Dehydrated

When run, the dehydrated script will check your existing certificate to see how long it’s valid. If it has less than 30 days’ lifetime remaining (by default; this can be changed by setting RENEW_DAYS in config to something other than 30), the script will renew your certificates. If more than 30 days remain, the script will exit without further action. All that’s necessary is to run dehydrated daily:

vi /etc/cron.daily/call-dehydrated

Enter the following in this file:

/usr/local/bin/dehydrated -c

Then make it executable:

chmod +x /etc/cron.daily/call-dehydrated


Your certificate, private key, and other important information are stored in /etc/dehydrated, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups.