Recommend to use '--webroot' option for certbot.

en_US/howto/use.a.bought.ssl.certificate.md

@@ -1,4 +1,4 @@
-# Use a bought SSL certificate
+# Use a SSL certificate
 
 [TOC]
 
@@ -10,13 +10,28 @@ annoying message, you have to buy a SSL certificate from SSL certificate
 provider. Search `buy ssl certificate` in Google will give you many SSL
 providers, choose the one you prefer.
 
-> ["Let's Encrypt" offers free SSL certificate](https://letsencrypt.org)
+## Get a SSL certificate
 
-## Generate SSL private key and buy one SSL certificate
+### Get a free LetsEncrypt ssl cert
 
-First of all, you need to generate a new SSL certificate on your server
-with `openssl` command. __WARNING__: do NOT use key length smaller than `2048` bit,
-it's insecure.
+["Let's Encrypt"](https://letsencrypt.org) offers free SSL certificate, please
+follow its official tutorial to get one: <https://certbot.eff.org>
+
+!!! attention
+
+    The `--apache` option of `certbot` program will modify Apache config
+    files, most time it messes up iRedMail configurations, so it's better
+    to get the cert with `--webroot` option while requesting cert, then
+    follow tutorial below to update config files to use the cert.
+
+### Buy from a trusted SSL vendor
+
+To buy ssl cert from a trusted vendor, you need to generate a new SSL
+key and signing request file on your server with `openssl` command:
+
+!!! warning
+
+    Do NOT use key length smaller than `2048` bit, it's insecure.
 
 ```
 # openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

html/index.html

@@ -137,7 +137,7 @@
 <li><a href="sql.create.mail.user.html">SQL: Create new mail user</a></li>
 <li><a href="sql.user.mail.forwarding.html">SQL: User mail forwarding</a></li>
 <li><a href="store.spamassassin.bayes.in.sql.html">Store SpamAssassin bayes in SQL</a></li>
-<li><a href="use.a.bought.ssl.certificate.html">Use a bought SSL certificate</a></li>
+<li><a href="use.a.bought.ssl.certificate.html">Use a SSL certificate</a></li>
 <li><a href="use.openldap.as.address.book.in.outlook.html">Use OpenLDAP as address book in Microsoft Outlook</a></li>
 <li><a href="user.alias.address.html">Per-user alias address</a></li>
 </ul>

html/use.a.bought.ssl.certificate.html

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-        <title>Use a bought SSL certificate</title>
+        <title>Use a SSL certificate</title>
         <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
     </head>
     <body>
@@ -19,11 +19,15 @@
 <p class="admonition-title">This tutorial is available in other languages. <a href="https://bitbucket.org/zhb/iredmail-docs/src">Help translate more</a></p>
 <p><a href="./use.a.bought.ssl.certificate-zh_CN.html">简体中文</a> /</p>
 </div>
-<h1 id="use-a-bought-ssl-certificate">Use a bought SSL certificate</h1>
+<h1 id="use-a-ssl-certificate">Use a SSL certificate</h1>
 <div class="toc">
 <ul>
-<li><a href="#use-a-bought-ssl-certificate">Use a bought SSL certificate</a><ul>
-<li><a href="#generate-ssl-private-key-and-buy-one-ssl-certificate">Generate SSL private key and buy one SSL certificate</a></li>
+<li><a href="#use-a-ssl-certificate">Use a SSL certificate</a><ul>
+<li><a href="#get-a-ssl-certificate">Get a SSL certificate</a><ul>
+<li><a href="#get-a-free-letsencrypt-ssl-cert">Get a free LetsEncrypt ssl cert</a></li>
+<li><a href="#buy-from-a-trusted-ssl-vendor">Buy from a trusted SSL vendor</a></li>
+</ul>
+</li>
 <li><a href="#configure-postfixdovecotapachenginx-to-use-bought-ssl-certificate">Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate</a><ul>
 <li><a href="#postfix-smtp-server">Postfix (SMTP server)</a></li>
 <li><a href="#dovecot-pop3imap-server">Dovecot (POP3/IMAP server)</a></li>
@@ -46,13 +50,24 @@ to warn you this self-signed certificate is not trusted. To avoid this
 annoying message, you have to buy a SSL certificate from SSL certificate
 provider. Search <code>buy ssl certificate</code> in Google will give you many SSL
 providers, choose the one you prefer.</p>
-<blockquote>
-<p><a href="https://letsencrypt.org">"Let's Encrypt" offers free SSL certificate</a></p>
-</blockquote>
-<h2 id="generate-ssl-private-key-and-buy-one-ssl-certificate">Generate SSL private key and buy one SSL certificate</h2>
-<p>First of all, you need to generate a new SSL certificate on your server
-with <code>openssl</code> command. <strong>WARNING</strong>: do NOT use key length smaller than <code>2048</code> bit,
-it's insecure.</p>
+<h2 id="get-a-ssl-certificate">Get a SSL certificate</h2>
+<h3 id="get-a-free-letsencrypt-ssl-cert">Get a free LetsEncrypt ssl cert</h3>
+<p><a href="https://letsencrypt.org">"Let's Encrypt"</a> offers free SSL certificate, please
+follow its official tutorial to get one: <a href="https://certbot.eff.org">https://certbot.eff.org</a></p>
+<div class="admonition attention">
+<p class="admonition-title">Attention</p>
+<p>The <code>--apache</code> option of <code>certbot</code> program will modify Apache config
+files, most time it messes up iRedMail configurations, so it's better
+to get the cert with <code>--webroot</code> option while requesting cert, then
+follow tutorial below to update config files to use the cert.</p>
+</div>
+<h3 id="buy-from-a-trusted-ssl-vendor">Buy from a trusted SSL vendor</h3>
+<p>To buy ssl cert from a trusted vendor, you need to generate a new SSL
+key and signing request file on your server with <code>openssl</code> command:</p>
+<div class="admonition warning">
+<p class="admonition-title">Warning</p>
+<p>Do NOT use key length smaller than <code>2048</code> bit, it's insecure.</p>
+</div>
 <pre><code># openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
 </code></pre>