How to combine LetsEncrypt existing certificate with "-existing-webserver"?

[naddika]

mox, when run with the flag -existing-webserver, will generate this config:

# public > TLS > 

KeyCerts:
        -

                # Certificate including intermediate CA certificates, in PEM format.
                CertFile: path/to/correo.domain123-chain.crt.pem

                # Private key for certificate, in PEM format. PKCS8 is recommended, but PKCS1 and
                # EC private keys are recognized as well.
                KeyFile: path/to/correo.domain123.key.pem
        -

                # Certificate including intermediate CA certificates, in PEM format.
                CertFile: path/to/mta-sts.domain123-chain.crt.pem

                # Private key for certificate, in PEM format. PKCS8 is recommended, but PKCS1 and
                # EC private keys are recognized as well.
                KeyFile: path/to/mta-sts.domain123.key.pem
        -

                # Certificate including intermediate CA certificates, in PEM format.
                CertFile: path/to/autoconfig.domain123-chain.crt.pem

                # Private key for certificate, in PEM format. PKCS8 is recommended, but PKCS1 and
                # EC private keys are recognized as well.
                KeyFile: path/to/autoconfig.domain123.key.pem

And these existing LetsEncrypt ones:

$ sudo ls -al /etc/letsencrypt/live/domain123.com
total 12
drwxr-xr-x 2 root root 4096 Nov  6 07:26 .
drwx------ 6 root root 4096 Nov  6 07:26 ..
lrwxrwxrwx 1 root root   36 Nov  6 07:26 cert.pem -> ../../archive/domain123.com/cert1.pem
lrwxrwxrwx 1 root root   37 Nov  6 07:26 chain.pem -> ../../archive/domain123.com/chain1.pem
lrwxrwxrwx 1 root root   41 Nov  6 07:26 fullchain.pem -> ../../archive/domain123.com/fullchain1.pem
lrwxrwxrwx 1 root root   39 Nov  6 07:26 privkey.pem -> ../../archive/domain123.com/privkey1.pem
-rw-r--r-- 1 root root  692 Nov  6 07:26 README

Which of these should I add into the mox.conf? There're 4 pairs in mox.conf. Should I remove 3 of them leaving 1?

And for the 1 left, which 2 out of the 4 in /etc/letsencrypt/live/domain123.com should I use in mox.conf?

For instance, in nginx config I'll use the fullchain and privkey one. But mox requires a chain one which is different already.

[mjl-]

If you don't want to use MTA-STS and autoconfig, you could disable MTA-STS for each domain (in domains.conf) and disable autoconfig (in mox.conf), and remove the key/cert pair in mox.conf for them. MTA-STS makes SMTP delivery with STARTTLS required, so I would try to keep that enabled. Autoconfig is useful for some email clients, making it easier to set up a new account. I would at least try to keep MTA-STS enabled.

Without MTA-STS and autoconfig, I think that should leave only 1 pair, for the hostname itself (if you have a 4th pair, for what domain is it?). KeyFile should point to privkey.pem. I'm pretty sure CertFile should point to chain.pem. It's likely fullchain.pem includes the root certificate, but there's no point sending that to TLS clients: Either they already have it and trust it, or they don't have it and won't trust it even if you send it.

Keep in mind the certificate should be for the hostname where mox is running (e.g. mail.yourdomain.example), not for your domain directly (so not for yourdomain.example). With a certificate for the domain, TLS certificate verification will fail during SMTP STARTTLS due to hostname mismatch.

Mox also includes a webserver. It can serve static files and serve as reverse proxy. It's easily configurable (through config file and web admin that updates the config file). It does transparent and cached compression. And it will automatically fetch TLS certificates for new domains you add, through let's encrypt. So it could be worth trying to use it. It has made my life simpler (I used to run nginx too).

Keep in mind that mox does not currently automatically refresh certificates from disk. So you should probably configure some kind of hook in the tool that fetches certificates (certbot?) that restarts mox after a certificate refresh.

[zigomi]

Mox also includes a webserver. It can serve static files and serve as reverse proxy. It's easily configurable (through config file and web admin that updates the config file). It does transparent and cached compression. And it will automatically fetch TLS certificates for new domains you add, through let's encrypt. So it could be worth trying to use it. It has made my life simpler (I used to run nginx too).

You suggest that I switch to the websever of mox for multiple websites that I run on the same machine and for which I now use nginx?

If you don't want to use MTA-STS and autoconfig, you could disable MTA-STS for each domain (in domains.conf) and disable autoconfig (in mox.conf), and remove the key/cert pair in mox.conf for them. MTA-STS makes SMTP delivery with STARTTLS required, so I would try to keep that enabled. Autoconfig is useful for some email clients, making it easier to set up a new account. I would at least try to keep MTA-STS enabled.

The question is also which file-certificate of Letscrypt to use for MTA-STS and Autoconfig.

I'm pretty sure CertFile should point to chain.pem.

Didn't work. Worked with cert1 and fullchain1

[mjl-]

You suggest that I switch to the websever of mox for multiple websites that I run on the same machine and for which I now use nginx?

Yes. (: If it is an option of course. And that depends on whether you're using features of nginx that mox doesn't support. I've implemented everything I needed, but some more functionality could be added. Though mox is not going to be as configurable as nginx.

The question is also which file-certificate of Letscrypt to use for MTA-STS and Autoconfig.

I think I don't understand the question. Your directory listing is for domain123.com. For MTA-STS I would expect a directory mta-sts.domain123.com with the same set of files as the listing earlier. And for autoconfig a directory autoconfig.domain123.com. For your mail host I would expect something like .domain123.com, not domain123.com. Because each email domain needs 3 certificates, it can get annoying to handle it with a separate tool (certbot). That's why I switched to mox also for my HTTPS TLS needs.

Didn't work. Worked with cert1 and fullchain1

What was in those files? I would expect cert1 to be a single certificate, without intermediates. And chain1 to contain cert1 + 1 or more intermediates. And fullchain1 to be cert1 + intermediates + root. If using just cert1 seems to work, that may be because your devices happen to already know about the intermediates from other TLS connections. But not all devices may already know those intermediates, and some may see TLS connectivity issues. So I think you should load the intermediates.

[naddika]

1) Ok. But the webserver of Mox isn't an option 2) Ok 3) Mox wouldn't even start - would fail at startup when I was using chain1 -- invalid format of the certificate or something similar. With the other 2 it at least would start. But I haven't tested it in the browser yet.