Manual SSL Certificates

We strongly recommend you use LetsEncrypt instead of manual certificates

How to get a signed certificate

  • (STOP, GO TO THE LetsEncrypt page instead of doing this!)
  • Open the SSL Configure page in the Web Admin interface.
  • Click on 'Create CSR', if you have never done this before, and give the details of your server.
  • Click on 'Show CSR' and copy the code.
  • Go to your favorite certificate registry and request a signed certificate or use LetsEncrypt (see notes below), The registry service will want this CSR .
  • They will then give you a signed certificate and intermediate certificates, ask for 'Apache' or 'Other' format.
  • Upload the two files using the buttons on the web interface

Warning:

If your certificate doesn't match the current private key, or is miss formatted etc, then you may loose connection to this page when you press 'save changes', instead use the non ssl admin port: http://your.server:7026, examine mail.err for  the cause, remove ssl/surge_cert.pem and restart surgemail to recreate a working unsigned certificate!

Manual Installation of Certificates - And debugging bad certificates....

You can install your certificate manually by replacing the file ssl/surge_cert.pem it should contain start with your certificate, and then it should have your intermediate chain certificates appended to the end of it.

If your certificate was created from a different private key then also replace ssl/surge_priv.pem.  If your certificate is faulty in any way ssl will not work, in that case examine mail.err to find the cause, and remove surge_cert.pem and restart surgemail to recreate an unsigned but working certificate.

If you are using g_ssl_perdomain "true" then place certifictes in ssl/mail.domain.name folders

Generally for an ssl certificate you should make sure you have url_host defined for each domain, e.g. for xyz.com url_host should be "mail.xyz.com"

If you are using a wild card ssl certificate and want it to match correctly with any sub domain used, then use the new setting ssl_wildcard "*.xyz.com" so it will match correctly.

Was this article helpful?

Related Articles