RockyLinux8.8 ; SSL Certificate Acquisition( Let's Encrypt ) , Apache SSL , Mail SSL/TLS

1.Obtain an SSL certificate ( Let's Encrypt )

Install the latest open ssl

1.1 advance preparation

1.Package management system Snappy installed
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.(Can also be installed the traditional way with dnf or yum)

Enable systemd unit to manage the main snap communication socket

Enable Classics Snap support

Bring snapd version up to date

If the above fails, run the following command instead (the core package will be installed along with the package called hello-world).

Update core package

Version Check

Log out and log in again or reboot the system to ensure that the snap path is updated correctly

2.certbot package install

Create symbolic link to /snap/bin/certbot

Confirmation

1.2 Obtaining Certificates

Registration of e-mail address and agreement to terms of use are required for the first time only.
Specify an email address to receive

The following certificate is obtained under [/etc/letsencrypt/live/[FQDN]/] as described in the message
cert.pem ⇒ SSL server certificate (including public key)
chain.pem ⇒ intermediate certificate
fullchain.pem ⇒ File containing cert.pem and chain.pem combined
privkey.pem ⇒ private key for a public key

Renewing certificates already obtained
# Renew all certificates with an expiration date of less than 30 days
# If you want to renew regardless of the number of days remaining on the expiration date, specify [--force-renewal] as well

1.2 Automatic renewal of certificates (Let's Encrypt)

①Pre-registration testing
First, test the automatic update using the following --dry-run option.
With this option, certificates are not renewed, only checked, so there is no need to worry about getting stuck with a limit on the number of times a certificate can be obtained.

②When you install the snap version of certbot, the automatic certificate renewal function is also installed.

snap.certbot.renew.timer is registered

Check the unit file snap.certbot.renew.timer

According to the above configuration, it will attempt to update at07:55 and 16:23 every day as specified in the OnCalender parameter(However, the set time changes randomly with each update)

Check the unit file snap.certbot.renew.service

However, the web server using the certificate will not be restarted, so set up a script that will run automatically after the update

2. Converting Apache to https

Install the following

2.1 Edit ssl.conf file

Apache Restart

Allow https in Firewall

2.2 Redirect HTTP communications to HTTPS

Create .htaccess under /var/www/html/[FQDN]/
Contents of .htaccess

3. SSL/TLS (Let's Encrypt) settings on the mail server

3.1  Obtaining a certificate for the mail server

Obtain a certificate for the mail server, but it cannot be obtained in the same way as above, so the following with the "--standalone" option fails.

If I stop the web server once and then do it, it succeeds as follows

3.2 Postfix Configuration

3.3 Dovecot Settings

Allow Port 587 in firewall

3.4 Thunderbird Settings

Receiving server
Port  :  143
Connection security   :  STARTTLS
Authentication method  :  Normal password

Sending server
Port   :  587
Connection security   :  STARTTLS
Authentication method  :  Normal password

タイトルとURLをコピーしました