Contents
1. Certificate Acquisition (Let's Encrypt)
1.1 advance preparation
①Enable mod_ssl
|
1 |
# a2enmod ssl |
②Install client tool to obtain Let's Encrypt certificate
|
1 |
# apt -y install certbot |
③Obtaining Certificates
It is assumed that a web server such as Apache httpd or Nginx is running.
If the Web server is not running on the server, perform step ④.
It is also assumed that the server on which the work is to be performed (the server with the FQDN from which the certificate is to be obtained) is accessible from the Internet at port 80.
|
1 |
# certbot certonly --webroot -w /var/www/html/<FQDN> -d <FQDN> |
# Use the directory under the public directory of the running Web server as a temporary area for authentication by specifying [--webroot].
# -w [document root] -d [FQDN from which you want to obtain a certificate]
# FQDN (Fully Qualified Domain Name) : Hostname. Domain name without abbreviation
#Document root is the one for the appropriate host definition if there are multiple host definitions for a virtual host
# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): <mail address> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for <FQDN> Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Key is saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem This certificate expires on 2022-10-14. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Success when displaye ""Successfully received certificate"
# The following certificate is obtained under [/etc/letsencrypt/live/<FQDN>/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key
④Obtaining a Let's Encrypt certificate when the web server is not running
It is a prerequisite that access to port 80 of the server is available.
#Use the simple Web server function by specifying [--standalone].
# -d [FQDN from which you want to obtain a certificate]
# FQDN (Fully Qualified Domain Name) : Hostname. Domain name without abbreviation
# If there are multiple FQDNs for which you want to obtain certificates, specify multiple -d [FQDNs for which you want to obtain certificates
|
1 |
# certbot certonly --standalone -d <FQDN> |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
Enter email address (used for urgent notices and lost key recovery) <mail address> < OK > <Cancel> Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory <Agree > <Cancel> IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem Your cert will expire on 2019-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donat |
⑤Renewing certificates already obtained
# Renew all certificates with an expiration date of less than 30 days
#If you want to renew regardless of the number of days remaining on the expiration date, specify [--force-renewal] as well
|
1 |
# certbot [--force-renewal] renew |
2. Configuring SSL/TLS (Let's Encrypt) in Apache2
①Editing the SSL-related configuration files for Apache2
|
1 2 |
# cd /etc/apache2/sites-available/ # cp default-ssl.conf hoge.com-ssl.conf |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi hoge.com-ssl.conf # Line 3:Change of administrator's address ServerAdmin hoge@hoge.com # Line 5:change DocumentRoot /var/www/html/hoge.com # Line 13,14:change ErrorLog ${APACHE_LOG_DIR}/hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/hoge.com.access.log combined # Line 32,33:Change to the certificate you obtained in[1] SSLCertificateFile /etc/letsencrypt/live/hoge.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/hoge.com/privkey.pem # Line 42:Uncomment and change to the chain file retrieved in [1] SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem |
②Reflection and activation of the configuration file
|
1 2 3 4 |
# a2ensite hoge.com-ssl.conf Enabling site hoge.com-ssl.conf. To activate the new configuration, you need to run: systemctl reload apache2 |
|
1 |
# systemctl restart apache2 |
|
1 |
# a2dissite default-ssl.conf ←Default disablement |
|
1 |
# systemctl restart apache2 |
|
1 2 3 4 5 6 7 8 9 10 11 |
# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 |
③http to https redirection
1.How to create an .htaccess file
Create a .htaccess file in /var/www/html/hoge.com/ and fill in the following
|
1 2 3 |
RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
2.How to fill in /vhost-hoge.com.conf
|
1 2 3 4 |
# vi /etc/apache2/sites-available/vhost-hoge.com.conf RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
④Configuration and start-up
|
1 2 3 |
# a2ensite vhost-hoge.com.conf # a2enmod ssl # systemctl restart apache2 |
3. Setting up SSL/TLS (Let's Encrypt) on your mail server
3.1 Setting up a virtual host and obtaining a certificate
①Configuring mail hosts on Apache virtual hosts
|
1 |
# cd /etc/apache2/sites-available/ |
|
1 |
# vi vhost-hoge.com.conf |
Under the virtual host settings for web services, add the following virtual host settings for mail
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
<VirtualHost *:80> ~Abbreviations~ ServerName mail.hoge.com ServerAdmin hoge@hoge.com DocumentRoot /var/www/html/mail.hoge.com ~Abbreviations~ ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined ~Abbreviations~ </VirtualHost> |
②Create a mail.hoge.com directory in /var/www/html/.
③Obtaining a letsencrypt SSL certificate for your mail server
|
1 |
# certbot certonly --webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com |
3.2 Postfix Configuration
④Fix Postfix configuration file.
Configure SSL/TLS for encrypted communication.
SMTPS uses 465/TCP, POP3S uses 995/TCP and IMAPS uses 993/TCP.
|
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/postfix/main.cf # Add to last line smtpd_use_tls = yes smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.hoge.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.hoge.com/privkey.pem smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache # Include cryptographic information in the "Received:" message header smtpd_tls_received_header = yes |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# vi /etc/postfix/master.cf submission inet n – y – – smtpd ←Comments will be removed below.(Both SSL and STARTTLS are supported) -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n – y – – smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n – y – – qmqpd |
|
1 |
# postfix check |
|
1 2 |
# systemctl start postfix # systemctl enable postfix |
3.3 Configure Dovecot
①Modify the Dovecot configuration file
|
1 2 3 4 5 6 7 |
# vi /etc/dovecot/conf.d/10-ssl.conf # line 6:change ssl = yes # Line 12,13:Uncomment and specify certificate/key file ssl_cert = </etc/letsencrypt/live/mail.hoge.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.hoge.com/privkey.pem |
|
1 |
# vi /etc/dovecot/conf.d/10-master.conf |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
service imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { #port = 993 #ssl = yes port = 993 ssl = yes } }service pop3-login { inet_listener pop3 { #port = 110 port = 0 } inet_listener pop3s { #port = 995 #ssl = yes port = 995 ssl = yes } } ・Dovecot SASL Specify the library's authentication socket file(Per line 113) service auth { (Abbreviation) # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} ↓ unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
|
1 2 3 4 |
# vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes → disable_plaintext_auth = no auth_mechanisms = plain → auth_mechanisms = plain login |
|
1 2 3 |
# vi /etc/dovecot/conf.d/10-mail.conf #mail_location = → mail_location = maildir:~/Maildir |
|
1 2 3 |
# vi /etc/dovecot/conf.d/10-logging.conf #log_path = syslog → log_path = /var/log/dovecot/dovecot.log |
|
1 |
# mkdir /var/log/dovecot |
|
1 2 |
# systemctl start dovecot # systemctl enable dovecot |
|
1 2 3 |
# ls -F /var/spool/postfix/private/auth ---(The following indications are acceptable)--- /var/spool/postfix/private/auth = |
4. Configure SSL/TLS (Let's Encrypt) for FTP Vsftpd
① Modify the Vsftpd configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /etc/vsftpd.conf #Add the following to the last line # add letsencrypt rsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pem ssl_enable=YESforce_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO #pasv port pasv_enable=YES pasv_min_port=21000 pasv_max_port=21010 |
|
1 |
# systemctl restart vsftpd |
Allows a fixed PASV port other than the ftp port.
|
1 2 |
# ufw allow 21000:21010/tcp # ufw reload |