OracleLinux9.4 ; SSL Certificate Acquisition( Let's Encrypt ) , WEB/Mail server SSL

1. SSL Certificate Acquisition ( Let's Encrypt )

Install the latest open ssl

1.1 advance preparation

1.Package management system Snappy installation
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.(Can also be installed the traditional way with dnf or yum)

Enable systemd unit to manage the main snap communication socket

Enable Classics Snap support

Version Confirmation

Log out and log in again or reboot the system to ensure that the snap path is updated correctly

2.certbot package installation

Create symbolic link to /snap/bin/certbot

Confirmation

1.2 Obtaining Certificates

Registration of e-mail address and agreement to terms of use are required for the first time only.
Specify an email address to receive

The following certificate is obtained under [/etc/letsencrypt/live/[FQDN]/] as described in the message
cert.pem ⇒ SSL server certificate (including public key)
chain.pem ⇒ intermediate certificate
fullchain.pem ⇒ File containing cert.pem and chain.pem combined
privkey.pem ⇒ private key for a public key

※ Obtaining a Let's Encrypt certificate when the web server is not running
It is a prerequisite that the server on which the work is to be performed is accessible from the Internet at port 80.
Use the simple Web server function by specifying [--standalone].
--d [FQDN from which you want to obtain a certificate].
FQDN (Fully Qualified Domain Name) : Hostname. Domain name without abbreviation
If there are multiple FQDNs for which you want to obtain certificates, specify multiple -d [FQDNs for which you want to obtain certificates]

Renewing certificates already obtained
# Renew all certificates with an expiration date of less than 30 days
# If you want to renew regardless of the number of days remaining on the expiration date, specify [--force-renewal] as well

1.2 Automatic renewal of certificates (Let's Encrypt)

Pre-registration testing
First, test the automatic update using the following --dry-run option.
With this option, certificates are not renewed, only checked, so there is no need to worry about getting stuck with a limit on the number of times a certificate can be obtained.

When you install the snap version of certbot, the automatic certificate renewal function is also installed.

snap.certbot.renew.timer is registered

Check the unit file snap.certbot.renew.timer

According to the above configuration, it will attempt to update at 03:51 and 12:23 every day as specified in the OnCalender parameter(However, the set time changes randomly with each update)

Check the unit file snap.certbot.renew.service

However, the web server using the certificate will not be restarted, so set up a script that will run automatically after the update

2. Converting Apache to https

Install the following

2.1 Edit ssl.conf file

Restart Apache.

Allow https in Firewall

2.2 Redirect HTTP communications to HTTPS

Create .htaccess under /var/www/html/[FQDN]/

Contents of .htaccess

3. SSL/TLS (Let's Encrypt) settings on the mail server

3.1 Obtaining a certificate for the mail server

Obtain a certificate for the mail server, but it cannot be obtained in the same way as above, so the following with the "--standalone" option fails.

If I stop the web server once and then do it, it succeeds as follows

3.2 Postfix Configuration

3.3 Dovecot Settings

Allow Port 587 in firewall

3.4 Thunderbird Settings

Receiving server
Port  :  143
Connection security   :  STARTTLS
Authentication method  :  Normal password

Sending server
Port   :  587
Connection security   :  STARTTLS
Authentication method  :  Normal password

Copied title and URL