Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

CentOS7.9 ; Let's Encrypt , WEB・Mail SSL

1.Obtain SSL Certificate( Let's Encrypt )

Install the latest open ssl

1.1 Certificate Installation

# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):[E-mail address]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
(Y)es/(N)o: y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: y
Account registered.
Requesting a certificate for cent.korodes.com
Performing the following challenges:
http-01 challenge for cent.korodes.com
Using the webroot path /var/www/html/cent.korodes.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: mhori@hera.eonet.ne.jp).
Starting new HTTPS connection (1): supporters.eff.org
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

IMPORTANT NOTES:
-Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cent.korodes.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cent.korodes.com/privkey.pem
Your certificate will expire on 2023-05-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
-If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

1.2 Automatic certificate renewal (Let's Encrypt)

①Pre-registration testing
Test the automatic renewal with the following --dry-run option. With this option, the certificate is not renewed and only the operation is tested, so there is no need to worry about being caught by the limit on the number of times a certificate can be obtained.

②Using Systemd Timer

2. Converting Apache to https

Install the following just in case

2.1 Edit ssl.conf file

Restart Apache.

Allow https in Firewall

2.2 Redirect HTTP communications to HTTPS

Create .htaccess under /var/www/html/[FQDN]/.
Contents of .htaccess

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

3. SSL/TLS (Let's Encrypt) settings on the mail server

3.1 Obtaining a certificate for the mail server

Obtain a certificate for the mail server, but it cannot be obtained in the same way as above, so the following with the "--standalone" option fails.

If I stop the web server once and then do it, it succeeds as follows

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for mail.korodes.com
Performing the following challenges:
http-01 challenge for mail.korodes.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
-Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.korodes.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.korodes.com/privkey.pem
Your certificate will expire on 2023-05-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
-If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

3.2 Postfix Configuration

● Add to the last line
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.<domain name>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.<domain name>/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

● Line 16-19 : Uncomment
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
● Line 26-29 : Uncomment
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

Restart postfix

3.3 Dovecot Settings

Restart dovecot

3.4 Firewalld Settings

Allow submission port (port 587)

3.5 Thunderbird Settings

Receiving server
Port  :  143
Connection security   :  STARTTLS
Authentication method  :  Normal password

Sending server
Port   :  587
Connection security   :  STARTTLS
Authentication method  :  Normal password

Copied title and URL