Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Fedora38 ; SSL Certificate Acquisition( Let's Encrypt ) , Apache / Mail SSL/TLS

1.Obtain an SSL certificate ( Let's Encrypt )

Install the latest open ssl

1.1 advance preparation

1.Package management system Snappy installed
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.(Can also be installed the traditional way with dnf or yum)

Enable Classics Snap support

Enable Classics Snap support

Version Check

Log out and log in again or reboot the system to ensure that the snap path is updated correctly

2.certbot package install

Create symbolic link to /snap/bin/certbot

Confirmation

1.2 Obtaining Certificates

Registration of e-mail address and agreement to terms of use are required for the first time only.
Specify an email address to receive

Success if displayed"Successfully received certificate".
The following certificate is obtained under [/etc/letsencrypt/live//] as described in the message

cert.pem ⇒ SSL server certificate (including public key)
chain.pem ⇒ intermediate certificate
fullchain.pem ⇒ File containing cert.pem and chain.pem combined
privkey.pem ⇒ private key

※ Obtaining a Let's Encrypt certificate when the web server is not running

It is a prerequisite that the server on which the work is to be performed is accessible from the Internet at port 80.
Use the simple Web server function by specifying [--standalone].
-d [FQDN from which you want to obtain a certificate].
FQDN (Fully Qualified Domain Name) :Hostname. Domain name without abbreviation
If there are multiple FQDNs for which you want to obtain certificates, specify multiple -d [FQDNs for which you want to obtain certificates

Renewing certificates already obtained
Renew all certificates with an expiration date of less than 30 days
If you want to renew regardless of the number of days remaining on the expiration date, specify [--force-renewal] as well.

1.2Automatic renewal of certificates(Let's Encrypt)

Pre-registration testing
First, test the automatic update using the following --dry-run option.
With this option, certificates are not renewed, only checked, so there is no need to worry about getting stuck with a limit on the number of times a certificate can be obtained.

When you install the snap version of certbot, the automatic certificate renewal function is also installed.

snap.certbot.renew.timer is registered

Check the unit file snap.certbot.renew.timer

According to the above configuration, it will attempt to update at 5:17 and 16:20 every day as specified in the OnCalender parameter(However, the set time changes randomly with each update)

Check the unit file snap.certbot.renew.service

However, the web server using the certificate will not be restarted, so set up a script to run automatically after the update

2. Converting Apache to https

Install the following just in case

2.1 Edit ssl.conf file

Apache restart

Allow https in Firewall

2.2 Redirect HTTP communications to HTTPS

.htaccessを/var/www/html/[FQDN]/ 配下に作成

Contents of .htaccess

3. SSL/TLS (Let's Encrypt) settings on the mail server

3.1 Obtaining a certificate for the mail server

Obtain a certificate for the mail server, but since it cannot be obtained in the same way as above, stop the web server once and add the "--standalone" option.

3.2 Postfix Configuration

3.3 Dovecot Settings

Allow Port 587 in firewall

3.4 Thunderbird Settings

Receiving server
Port  :  143
Connection security   :  STARTTLS
Authentication method  :  Normal password

Sending server
Port   :  587
Connection security   :  STARTTLS
Authentication method  :  Normal password


Copied title and URL