Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Debian10 ; Apache, mail and FTP server SSL (Let's Encrypt)

This page explains how to use Let's Encrypt to obtain a certificate and apply it to apache, apply it to a mail server, apply it to an FTP server, and convert it to SSL.

1. Obtaining a certificate (Let's Encrypt)

1.1 advance preparation

①Enable mod_ssl

②Install a client tool to obtain a Let's Encrypt certificate.

③Obtaining a Let's Encrypt certificate
It is assumed that a web server such as Apache httpd or Nginx is running.
If the web server is not running on the server where the work is to be performed, perform the procedure in (4).
It is also assumed that it is possible to access port 80 of the server where the work is to be performed (the server whose FQDN you want to obtain the certificate) from the Internet side.

# -w [document root] -d [FQDN where you want to get the certificate] -d [FQDN where you want to get the certificate
# -w [document root] -d [FQDN for which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Host name.
# FQDN (Fully Qualified Domain Name) : Host name. Domain name without abbreviation.
# FQDN (Fully Qualified Domain Name) : Host name.
# The behavior of specifying the document root is that the specified document root is placed under
# The only action of specifying the document root is to create a [.well-known] directory under the specified document root, and to place the authentication files automatically and temporarily.
# First time only, you need to register your email address and agree to the terms of use.
# Specify a valid email address

Success when displaye ""Successfully received certificate"

# The following certificate is obtained under [/etc/letsencrypt/live/<FQDN>/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key

④Obtaining a Let's Encrypt certificate when the web server is not running
It is a prerequisite that the port 80 of the server where the work is to be performed is accessible from the Internet.

# -d [FQDN to get certificate] # -d [FQDN to get certificate
# -d [FQDN for which you want to obtain a certificate].
# FQDN (Fully Qualified Domain Name) : Host name. Indicates the domain name without abbreviation.
# FQDN (Fully Qualified Domain Name) : Host name.

⑤Renewing a certificate that has already been obtained
# Renew all certificates that expire in less than 30 days.
# Specify [--force-renewal] if you want to renew certificates regardless of the number of days left to expire.

2. Configuring SSL/TLS (Let's Encrypt) in Apache2

①Editing the SSL-related configuration file for Apache2

②Reflecting and activating the configuration file

Default disable

③http to https redirection
1.How to create a .htaccess file
Create a .htaccess file in /var/www/html/<FQDN>/ and fill in the following

2.How to fill in /vhost-hoge.com.conf

④Reflection of settings and startup

Restarting Apache

3. Set up SSL/TLS (Let's Encrypt) on your mail server.

3.1 Set up a virtual host and obtain a certificate

①Configuring Mail Hosts on Apache Virtual Hosts

②Create a mail.<domain-name>  directory in /var/www/html/

③Obtain a letsencrypt SSL certificate for your mail server.

3.2 Postfix Configuration

④Modify Postfix configuration file.
Configure SSL/TLS settings to enable encrypted communication.
Use 465/TCP for SMTPS, 995/TCP for POP3S, and 993/TCP for IMAPS.

Check that the settings are correct (OK if nothing appears).
⑤Postfix startup, auto-start configuration

3.3 Configuring Dovecot

①Modify the Dovecot configuration file

・Enable imaps and pop3s, which use encryption, and disable imap and pop3, which communicate in plaintext, by setting "port = 0".
・Setting the authentication method ※We allow plain text passwords, but they are encrypted with SSL/TLS, so no problem!
・Specify the location of the mailbox.
・Change the output destination of the log
・Create log output destination
② Start Dovecot and set it to start automatically.

③Verify that the authentication socket file has been created.

4. Configure SSL/TLS (Let's Encrypt) for FTP Vsftpd

① Modify the Vsftpd configuration file

② Firewall Settings
Allows a fixed PASV port other than the ftp port.
タイトルとURLをコピーしました