This post is outdated. Please see a recently updated version here:
https://irulan.net/using-lets-encrypt-with-kerio-connect

As Let’s Encrypt is probably the best thing happening to the internet for the last decade or two, I wanted to use the certificates with a Kerio Connect installation at a customer. The software documentation advises you to copy and paste the certificate information via their admin web interface. Let’s Encrypt certificates expire every 90 days, so that’s just not an option for a lazy (read: productive, smart) system administrator. The instance is running on Ubuntu Linux 14.04 LTS and performed flawless so far. Here’s how you do it.

Install Let’s Encrypt

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto --help

Create the Certificate

Turn off the HTTP and HTTPS services in the admin panel. It won’t work without them disabled or running on non-standard ports. If you want to renew the certificates automatically, you should think about changing the ports permanently.

./letsencrypt-auto certonly --standalone -d mail.example.com

If you’re running this the first time, you’ll need to enter your email address for emergency usage like revoking a certificate. This only needs to be done once.

Congratulations, you now have a valid SSL certificate on your server.

Actually Using the Certificate

To make renewal easy, just link the created certificates to the appropriate folder inside the Kerio Connect hierarchy.

ln -s /etc/letsencrypt/live/mail.example.com/fullchain.pem /opt/kerio/mailserver/sslcert/mail.crt
ln -s /etc/letsencrypt/live/mail.example.com/privkey.pem /opt/kerio/mailserver/sslcert/mail.key

Now open the admin panel, select Configuration > SSL Certificates and see your certificate appear. Select it and set is as active.

That’s it.

Renewal

Just run:

./letsencrypt-auto certonly --keep-until-expiring -d mail.example.com

You may want to put this in a cronjob to run every 30 days or so. If the certificate is close to expiring, it will be renewed automatically, otherwise it will be kept until the next run.

Conclusion

If you’re still running an unsecured mail server, now is the time to change that. It will cost you about 15 minutes and you probably will never have to worry about it again.