Using Let’s Encrypt! with Kerio Operator

This assumes you internally maintain a certbot host which retrieves certificates, and then you fetch those certs to the frontend / application servers that need them. It is also assumed you have enabled SSH for your Kerio Operator install.

WARNING: This will update your kerio database directly. Do not attempt unless you understand the implications and have made a backup.

  1. mkdir -pv /var/etc/letsencrypt/live/
  2. EDITOR=vim crontab -e:
    0 0 1 * * /usr/bin/scp -o StrictHostKeyChecking=no -r -i /var/etc/letsencrypt/ssl-sync.pem root@certbot-host:/etc/dehydrated/certs/* /var/etc/letsencrypt/live/ && /bin/sh /var/etc/letsencrypt/update-kerio.sh
  3. /var/etc/letsencrypt/update-kerio.sh:
     #!/bin/bash
    
    key=/var/etc/letsencrypt/live/talk.brad-x.com/privkey.pem
     cert=/var/etc/letsencrypt/live/talk.brad-x.com/fullchain.pem
    
    key_contents=$(cat $key)$'\n'
     cert_contents=$(cat $cert)$'\n'
    
    query="insert into ssl_certs values (NULL, '$key_contents', '$cert_contents', NULL) returning SSL_CERTS_ID;"
     NEW_ID=$(echo "$query" | isql-fb -u sysdba -p masterkey /var/lib/firebird/2.0/data/kts.fdb | tail -n2 - | tr -d '[:space:]')
    
    query="update HTTP_SERVER set SSL_CERTS_ID=${NEW_ID} where SSL_CERTS_ID!=0;"
     echo "$query" | isql-fb -u sysdba -p masterkey /var/lib/firebird/2.0/data/kts.fdb
    
    /opt/kerio/operator/bin/regenerateConfiguration

    This adds the letsencrypt cert to the database and sets it active. Note that you’ll have a new cert in the database with each run of the cron job, and you’ll eventually want to clean out old ones. Some work could be done to check that the certificate has changed before running the update-kerio.sh script.

Leave a Reply