Contents
1.Obtain SSL Certificate( Let's Encrypt )
Install the latest open ssl
|
1 |
# yum install openssl-devel |
1.1 Certificate Installation
|
1 2 |
# yum -y install certbot # certbot certonly --webroot -w /var/www/html/[FQDN] -d [FQDN] |
# Specify an email address to receive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):[E-mail address]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
(Y)es/(N)o: y
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: y
Account registered.
Requesting a certificate for cent.korodes.com
Performing the following challenges:
http-01 challenge for cent.korodes.com
Using the webroot path /var/www/html/cent.korodes.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: mhori@hera.eonet.ne.jp).
Starting new HTTPS connection (1): supporters.eff.org
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
IMPORTANT NOTES:
-Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cent.korodes.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cent.korodes.com/privkey.pem
Your certificate will expire on 2023-05-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
-If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
1.2 Automatic certificate renewal (Let's Encrypt)
①Pre-registration testing
Test the automatic renewal with the following --dry-run option. With this option, the certificate is not renewed and only the operation is tested, so there is no need to worry about being caught by the limit on the number of times a certificate can be obtained.
|
1 |
# certbot renew --dry-run |
②Using Systemd Timer
|
1 2 3 4 5 6 7 8 9 10 |
# systemctl cat certbot-renew.timer # /usr/lib/systemd/system/certbot-renew.timer [Unit] Description=This is the timer to set the schedule for automated renewals [Timer] OnCalendar=*-*-* 00/12:00:00 RandomizedDelaySec=12hours Persistent=true [Install] WantedBy=timers.target |
|
1 2 |
# systemctl enable --now certbot-renew.timer Created symlink from /etc/systemd/system/timers.target.wants/certbot-renew.timer to /usr/lib/systemd/system/certbot-renew.timer. |
|
1 2 3 4 5 6 |
# systemctl list-timers certbot-renew.timer NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2023-02-18 11:01:38 JST 13h left n/a n/a certbot-renew.timer certbot-re 1 timers listed. Pass --all to see loaded but inactive timers, too. |
2. Converting Apache to https
Install the following just in case
|
1 |
# yum -y install mod_ssl |
2.1 Edit ssl.conf file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/httpd/conf.d/ssl.conf ●Line 59: Uncomment and change DocumentRoot "/var/www/html/<FQDN>" ●Line 60: Uncomment and change ServerName <Domain name>:443 ●Line 100: Uncomment and add # SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/letsencrypt/live/<FQDN>/cert.pem ●Line 107: Uncomment and add # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/letsencrypt/live/<FQDN>/privkey.pem ●Line 117: Add SSLCertificateChainFile /etc/letsencrypt/live/<FQDN>/chain.pem |
Restart Apache.
|
1 |
# systemctl restart httpd |
|
1 2 3 4 |
# firewall-cmd --add-service=https --permanent success # firewall-cmd --reload success |
2.2 Redirect HTTP communications to HTTPS
Create .htaccess under /var/www/html/[FQDN]/.
Contents of .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
3. SSL/TLS (Let's Encrypt) settings on the mail server
3.1 Obtaining a certificate for the mail server
Obtain a certificate for the mail server, but it cannot be obtained in the same way as above, so the following with the "--standalone" option fails.
|
1 |
# certbot certonly --standalone -d mail.<domain name> |
If I stop the web server once and then do it, it succeeds as follows
|
1 2 |
# systemctl stop httpd.service # certbot certonly --standalone -d mail.<domain name> |
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for mail.korodes.com
Performing the following challenges:
http-01 challenge for mail.korodes.com
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
-Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.korodes.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.korodes.com/privkey.pem
Your certificate will expire on 2023-05-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
-If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3.2 Postfix Configuration
|
1 |
# vi /etc/postfix/main.cf |
● Add to the last line
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.<domain name>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.<domain name>/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
1 |
# vi /etc/postfix/master.cf |
● Line 16-19 : Uncomment
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
● Line 26-29 : Uncomment
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
Restart postfix
|
1 |
# systemctl restart postfix |
3.3 Dovecot Settings
|
1 2 3 |
# vi /etc/dovecot/conf.d/10-ssl.conf Line 9: Change ssl = yes |
Restart dovecot
|
1 |
# systemctl restart dovecot |
3.4 Firewalld Settings
Allow submission port (port 587)
|
1 2 |
# firewall-cmd --add-port=587/tcp --permanent # firewall-cmd --reload |
3.5 Thunderbird Settings
Receiving server
Port : 143
Connection security : STARTTLS
Authentication method : Normal password
Sending server
Port : 587
Connection security : STARTTLS
Authentication method : Normal password
