This page explains how to use Let's Encrypt to obtain a certificate and apply it to apache, apply it to a mail server, apply it to an FTP server, and convert it to SSL.
Contents
1. Obtaining a certificate (Let's Encrypt)
1.1 advance preparation
①Enable mod_ssl
1 |
# a2enmod ssl |
②Install a client tool to obtain a Let's Encrypt certificate.
1 |
# apt -y install certbot |
③Obtaining a Let's Encrypt certificate
It is assumed that a web server such as Apache httpd or Nginx is running.
If the web server is not running on the server where the work is to be performed, perform the procedure in (4).
It is also assumed that it is possible to access port 80 of the server where the work is to be performed (the server whose FQDN you want to obtain the certificate) from the Internet side.
1 |
# certbot certonly --webroot -w /var/www/html/<FQDN> -d <FQDN> |
# -w [document root] -d [FQDN where you want to get the certificate] -d [FQDN where you want to get the certificate
# -w [document root] -d [FQDN for which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Host name.
# FQDN (Fully Qualified Domain Name) : Host name. Domain name without abbreviation.
# FQDN (Fully Qualified Domain Name) : Host name.
# The behavior of specifying the document root is that the specified document root is placed under
# The only action of specifying the document root is to create a [.well-known] directory under the specified document root, and to place the authentication files automatically and temporarily.
# First time only, you need to register your email address and agree to the terms of use.
# Specify a valid email address
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): <mail address> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for <FQDN> Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Key is saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem This certificate expires on 2022-10-14. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Success when displaye ""Successfully received certificate"
# The following certificate is obtained under [/etc/letsencrypt/live/<FQDN>/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key
④Obtaining a Let's Encrypt certificate when the web server is not running
It is a prerequisite that the port 80 of the server where the work is to be performed is accessible from the Internet.
# -d [FQDN to get certificate] # -d [FQDN to get certificate
# -d [FQDN for which you want to obtain a certificate].
# FQDN (Fully Qualified Domain Name) : Host name. Indicates the domain name without abbreviation.
# FQDN (Fully Qualified Domain Name) : Host name.
1 |
# certbot certonly --standalone -d <FQDN> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for <FQDN> Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mail.srv.world/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mail.srv.world/privkey.pem Your cert will expire on 2021-03-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
⑤Renewing a certificate that has already been obtained
# Renew all certificates that expire in less than 30 days.
# Specify [--force-renewal] if you want to renew certificates regardless of the number of days left to expire.
1 |
# certbot [--force-renewal] renew |
2. Configuring SSL/TLS (Let's Encrypt) in Apache2
①Editing the SSL-related configuration file for Apache2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# cd /etc/apache2/sites-available/ # cp default-ssl.conf hoge.com-ssl.conf # vi hoge.com-ssl.conf # Line 3: Change admin address ServerAdmin <mail-address> # Line 5: Change DocumentRoot /var/www/html/<FQDN> # Lines 13 and 14: Change ErrorLog ${APACHE_LOG_DIR}/<FQDN>.error.log CustomLog ${APACHE_LOG_DIR}/<FQDN>.access.log combined # Lines 32 and 33: Change to the certificate obtained in [1]. SSLCertificateFile /etc/letsencrypt/live/<FQDN>/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/<FQDN>/privkey.pem # Line 42: Uncomment and change to the chain file obtained in [1]. SSLCertificateChainFile /etc/letsencrypt/live/<FQDN>/chain.pem |
②Reflecting and activating the configuration file
1 2 3 4 |
# a2ensite hoge.com-ssl.conf Enabling site hoge.com-ssl.conf. To activate the new configuration, you need to run: systemctl reload apache2 |
1 |
# systemctl restart apache2 |
Default disable
1 |
# a2dissite default-ssl.conf |
1 |
# systemctl restart apache2 |
1 2 3 4 5 6 7 8 9 10 11 |
# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 |
③http to https redirection
1.How to create a .htaccess file
Create a .htaccess file in /var/www/html/<FQDN>/ and fill in the following
1 2 3 |
RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
2.How to fill in /vhost-hoge.com.conf
1 2 3 4 |
# vi /etc/apache2/sites-available/vhost-hoge.com.conf RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
④Reflection of settings and startup
1 |
# a2ensite vhost-hoge.com.conf |
Restarting Apache
1 |
# systemctl restart apache2 |
3. Set up SSL/TLS (Let's Encrypt) on your mail server.
3.1 Set up a virtual host and obtain a certificate
①Configuring Mail Hosts on Apache Virtual Hosts
1 |
# cd /etc/apache2/sites-available/ |
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi vhost-hoge.com.conf <VirtualHost *:80> ~Abbreviation~ ServerName mail.<domain-name> ServerAdmin <mail-address> DocumentRoot /var/www/html/mail.<domain-name> ~Abbreviation~ ErrorLog ${APACHE_LOG_DIR}/mail.<domain-name>.error.log CustomLog ${APACHE_LOG_DIR}/mail.<domain-name>.access.log combined ~Abbreviation </VirtualHost> |
②Create a mail.<domain-name> directory in /var/www/html/
③Obtain a letsencrypt SSL certificate for your mail server.
1 |
# certbot certonly --webroot -w /var/www/html/mail.<domain-name> -d mail.<domain-name> |
3.2 Postfix Configuration
④Modify Postfix configuration file.
Configure SSL/TLS settings to enable encrypted communication.
Use 465/TCP for SMTPS, 995/TCP for POP3S, and 993/TCP for IMAPS.
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/postfix/main.cf # Add to last line smtpd_use_tls = yes smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.<domain-name>/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.<domain-name>/privkey.pem smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache #Include cryptographic information in the "Received:" message header smtpd_tls_received_header = yes |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# vi /etc/postfix/master.cf submission inet n – y – – smtpd ←Remove the following comments. (Both SSL and STARTTLS are supported.) -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n – y – – smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n – y – – qmqpd |
1 |
# postfix check |
1 2 |
# systemctl start postfix # systemctl enable postfix |
3.3 Configuring Dovecot
①Modify the Dovecot configuration file
1 2 3 4 5 6 7 |
# vi /etc/dovecot/conf.d/10-ssl.conf # Line 6: Change ssl = yes # Lines 12 and 13: Uncomment and specify certificate/key file ssl_cert = </etc/letsencrypt/live/mail.<domain-name>/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.<domain-name>/privkey.pem |
1 |
# vi /etc/dovecot/conf.d/10-master.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
service imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { #port = 993 #ssl = yes port = 993 ssl = yes } }service pop3-login { inet_listener pop3 { #port = 110 port = 0 } inet_listener pop3s { #port = 995 #ssl = yes port = 995 ssl = yes } } ・Specify the authentication socket file for the Dovecot SASL library (around line 113) )service auth { (Omitted) # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} ↓ unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
1 2 3 4 |
# vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes → disable_plaintext_auth = no auth_mechanisms = plain → auth_mechanisms = plain login |
1 2 3 |
# vi /etc/dovecot/conf.d/10-mail.conf #mail_location = → mail_location = maildir:~/Maildir |
1 2 3 |
# vi /etc/dovecot/conf.d/10-logging.conf #log_path = syslog → log_path = /var/log/dovecot/dovecot.log |
1 |
# mkdir /var/log/dovecot |
1 2 |
# systemctl start dovecot # systemctl enable dovecot |
1 2 3 |
# ls -F /var/spool/postfix/private/auth ---(The following indications are acceptable.)--- /var/spool/postfix/private/auth = |
4. Configure SSL/TLS (Let's Encrypt) for FTP Vsftpd
① Modify the Vsftpd configuration file
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/vsftpd.conf #Add the following to the last line # add letsencrypt rsa_cert_file=/etc/letsencrypt/live/<FQDN>/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/<FQDN>/privkey.pem ssl_enable=YESforce_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO#pasv port pasv_enable=YES pasv_min_port=21000 pasv_max_port=21010 |
1 |
# systemctl restart vsftpd |
Allows a fixed PASV port other than the ftp port.
1 2 |
# ufw allow 21000:21010/tcp # ufw reload |