Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Debian10 ; Apache, mail and FTP server SSL (Let’s Encrypt)

This page explains how to use Let’s Encrypt to obtain a certificate and apply it to apache, apply it to a mail server, apply it to an FTP server, and convert it to SSL.

1. Obtaining a certificate (Let’s Encrypt)

1.1 advance preparation

①Enable mod_ssl

# a2enmod ssl

②Install a client tool to obtain a Let’s Encrypt certificate.

# apt -y install certbot

③Obtaining a Let’s Encrypt certificate
It is assumed that a web server such as Apache httpd or Nginx is running.
If the web server is not running on the server where the work is to be performed, perform the procedure in (4).
It is also assumed that it is possible to access port 80 of the server where the work is to be performed (the server whose FQDN you want to obtain the certificate) from the Internet side.

# certbot certonly –webroot -w /var/www/html/hoge.com -d hoge.com

# -w [document root] -d [FQDN where you want to get the certificate] -d [FQDN where you want to get the certificate
# -w [document root] -d [FQDN for which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Host name.
# FQDN (Fully Qualified Domain Name) : Host name. Domain name without abbreviation.
# FQDN (Fully Qualified Domain Name) : Host name.
# The behavior of specifying the document root is that the specified document root is placed under
# The only action of specifying the document root is to create a [.well-known] directory under the specified document root, and to place the authentication files automatically and temporarily.
# First time only, you need to register your email address and agree to the terms of use.
# Specify a valid email address

Enter email address (used for urgent notices and lost key recovery)

hoge@hoge.com

< OK > <Cancel>

# I agree to the terms of use
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

<Agree > <Cancel>

IMPORTANT NOTES:
Congratulations!Your certificate and chain have been saved at
/etc/letsencrypt/live/hoge.cpm/fullchain.pem. Your cert will
expire on 2018-07-27. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– If you like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

# If you see [Congratulations], you have succeeded.
# The following certificates have been obtained under [/etc/letsencrypt/live/hoge.com/] as described in the message
# cert.pem => SSL server certificate (including public key)
# chain.pem ⇒ Intermediate certificate
# fullchain.pem => a file that combines cert.pem and chain.pem
# privkey.pem ⇒ Private key for public key

④Obtaining a Let’s Encrypt certificate when the web server is not running
It is a prerequisite that the port 80 of the server where the work is to be performed is accessible from the Internet.

# -d [FQDN to get certificate] # -d [FQDN to get certificate
# -d [FQDN for which you want to obtain a certificate].
# FQDN (Fully Qualified Domain Name) : Host name. Indicates the domain name without abbreviation.
# FQDN (Fully Qualified Domain Name) : Host name.

# certbot certonly –standalone -d hoge.com
Enter email address (used for urgent notices and lost key recovery)

hoge@hoge.com

< OK > <Cancel>

#I agree to the terms of use
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

<Agree > <Cancel>

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hoge.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hoge.com/privkey.pem
Your cert will expire on 2019-10-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donat

⑤Renewing a certificate that has already been obtained
# Renew all certificates that expire in less than 30 days.
# Specify [–force-renewal] if you want to renew certificates regardless of the number of days left to expire.

# certbot  [–force-renewal]  renew

2. Configuring SSL/TLS (Let’s Encrypt) in Apache2

①Editing the SSL-related configuration file for Apache2

# cd /etc/apache2/sites-available/
# cp default-ssl.conf hoge.com-ssl.conf
# vi hoge.com-ssl.conf
# Line 3: Change admin address
ServerAdmin  hoge@hoge.com
# Line 5: Change
DocumentRoot /var/www/html/hoge.com
# Lines 13 and 14: Change
ErrorLog ${APACHE_LOG_DIR}/hoge.com.error.log
CustomLog ${APACHE_LOG_DIR}/hoge.com.access.log combined
# Lines 32 and 33: Change to the certificate obtained in [1].
SSLCertificateFile      /etc/letsencrypt/live/hoge.com/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/hoge.com/privkey.pem
# Line 42: Uncomment and change to the chain file obtained in [1].
SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem

②Reflecting and activating the configuration file

# a2ensite hoge.com-ssl.conf
Enabling site hoge.com-ssl.conf.
To activate the new configuration, you need to run:
systemctl reload apache2

# systemctl restart apache2

# a2dissite default-ssl.conf  Default disable
# systemctl restart apache2
# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2

③http to https redirection

1.How to create a .htaccess file
Create a .htaccess file in /var/www/html/hoge.com/ and fill in the following
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

2.How to fill in /vhost-hoge.com.conf
# vi /etc/apache2/sites-available/vhost-hoge.com.conf
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

④Reflection of settings and startup

# a2ensite vhost-hoge.com.conf

Restarting Apache
# systemctl restart apache2

 

3. Set up SSL/TLS (Let’s Encrypt) on your mail server.

3.1 Set up a virtual host and obtain a certificate

①Configuring Mail Hosts on Apache Virtual Hosts

# cd /etc/apache2/sites-available/
# vi vhost-hoge.com.conf
<VirtualHost *:80>

~Abbreviation~

ServerName mail.hoge.com

ServerAdmin hoge@hoge.com

DocumentRoot /var/www/html/mail.hoge.com

    ~Abbreviation~

ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log

CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined

    ~Abbreviation

</VirtualHost>

②Create a mail.hoge.com directory in /var/www/html/.
③Obtain a letsencrypt SSL certificate for your mail server.

# certbot certonly –webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com

3.2 Postfix Configuration

④Modify Postfix configuration file.
Configure SSL/TLS settings to enable encrypted communication.
Use 465/TCP for SMTPS, 995/TCP for POP3S, and 993/TCP for IMAPS.

# vi /etc/postfix/main.cf

# Add to last line
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.hoge.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.hoge.com/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
#Include cryptographic information in the “Received:” message header
smtpd_tls_received_header = yes

# vi /etc/postfix/master.cf

submission inet n – y – – smtpd ←Remove the following comments. (Both SSL and STARTTLS are supported.)
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

smtps inet n – y – – smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n – y – – qmqpd

Check that the settings are correct (OK if nothing appears).

# postfix check

⑤Postfix startup, auto-start configuration

# systemctl start postfix
systemctl enable postfix

3.3 Configuring Dovecot

①Modify the Dovecot configuration file

# vi /etc/dovecot/conf.d/10-ssl.conf

# Line 6: Change
ssl = yes
# Lines 12 and 13: Uncomment and specify certificate/key file
ssl_cert = </etc/letsencrypt/live/mail.hoge.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.hoge.com/privkey.pem

・Enable imaps and pop3s, which use encryption, and disable imap and pop3, which communicate in plaintext, by setting “port = 0”.

# vi /etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
#port = 143
port = 0
}
inet_listener imaps {
#port = 993
#ssl = yes
port = 993
ssl = yes
}
}service pop3-login {
inet_listener pop3 {
#port = 110
port = 0
}
inet_listener pop3s {
#port = 995
#ssl = yes
port = 995
ssl = yes
}
}
・Specify the authentication socket file for the Dovecot SASL library (around line 113)
service auth {
 (Omitted)
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
 ↓
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}

・Setting the authentication method ※We allow plain text passwords, but they are encrypted with SSL/TLS, so no problem!

# vi /etc/dovecot/conf.d/10-auth.conf

#disable_plaintext_auth = yes   →  disable_plaintext_auth = no
auth_mechanisms = plain  → auth_mechanisms = plain login

・Specify the location of the mailbox.

# vi /etc/dovecot/conf.d/10-mail.conf

#mail_location =   →  mail_location = maildir:~/Maildir

・Change the output destination of the log

# vi /etc/dovecot/conf.d/10-logging.conf

#log_path = syslog   →  log_path = /var/log/dovecot/dovecot.log

・Create log output destination

# mkdir /var/log/dovecot

② Start Dovecot and set it to start automatically.

# systemctl start dovecot
systemctl enable dovecot

③Verify that the authentication socket file has been created.

# ls -F /var/spool/postfix/private/auth
—(The following indications are acceptable.)—
/var/spool/postfix/private/auth =

4. Configure SSL/TLS (Let’s Encrypt) for FTP Vsftpd

① Modify the Vsftpd configuration file

# vi /etc/vsftpd.conf
#Add the following to the last line
# add letsencrypt
rsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pem
ssl_enable=YESforce_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO#pasv port
pasv_enable=YES
pasv_min_port=21000
pasv_max_port=21010

# systemctl restart vsftpd

② Firewall Settings
Allows a fixed PASV port other than the ftp port.

# ufw allow 21000:21010/tcp
# ufw reload
タイトルとURLをコピーしました