Instructions on how to get a certificate and apply it to apache, mail server, FTP server and convert to SSL with Let’s Encrypt.
Contents
1. Get a certificate(Let’s Encrypt)
1.1 Advance preparation
①Enable mod_ssl
# a2enmod ssl |
②Install a client tool to obtain a Let’s Encrypt certificate
# apt -y install certbot |
③Obtaining a Let’s Encrypt certificate
It is assumed that a web server such as Apache or Nginx is running.
If the web server is not running on the server where the work is to be carried out, follow step ④.
It is also assumed that the server on which the work is to be carried out (the server with the FQDN for which you want to obtain the certificate) is accessible from the Internet via port 80.
# certbot certonly –webroot -w /var/www/html/hoge.com -d hoge.com |
#Use the public directory of the running web server with [–webroot] as a temporary area for authentication.
# -w [Document root] -d [FQDN for which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Unabbreviated host and domain names
# If the document root is a virtual host and there are multiple host definitions, specify the one for the relevant host definition
# Only the first time you register your email address and agree to the terms of use
# Specify a valid email address
Enter email address (used for urgent notices and lost key recovery) hoge@hoge.com < OK > <Cancel> # agree to the terms of use <Agree > <Cancel> IMPORTANT NOTES: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate |
#If you see “Congratulations”, you have succeeded.
# The following certificates have been retrieved under [/etc/letsencrypt/live/hoge.com/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ Intermediate certificates
# fullchain.pem ⇒ The file containing the concatenation of cert.pem and chain.pem
# privkey.pem ⇒ Private key to public key
④Obtaining a Let’s Encrypt certificate when the web server is not running
It is a prerequisite that the port 80 of the server on which the work is carried out is accessible from the Internet.
#Use simplified web server functionality with [–standalone].
# -d [FQDN for which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Unabbreviated host and domain names
# If you have multiple FQDNs for which you want to obtain certificates, specify multiple -d [FQDNs for which you want to obtain certificates]
# certbot certonly –standalone -d hoge.com |
Enter email address (used for urgent notices and lost key recovery) hoge@hoge.com < OK > <Cancel> # agree to the terms of use <Agree > <Cancel> IMPORTANT NOTES: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate |
⑤Renewing a certificate you have already obtained
# Renew all certificates with an expiry date of less than 30 days
# Also specify [–force-renewal] if you want to renew regardless of the number of days left to expire
# certbot [–force-renewal] renew |
2. Configuring SSL/TLS (Let’s Encrypt) in Apache2
①Editing the SSL-related configuration files for Apache2
# cd /etc/apache2/sites-available/ # cp default-ssl.conf hoge.com-ssl.conf # vi hoge.com-ssl.conf # Line 3:Change of administrator’s address ServerAdmin hoge@hoge.com # Line 5:change DocumentRoot /var/www/html/hoge.com # Line 13,14:change ErrorLog ${APACHE_LOG_DIR}/hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/hoge.com.access.log combined # Line 32,33:Change to the certificate you obtained in[1] SSLCertificateFile /etc/letsencrypt/live/hoge.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/hoge.com/privkey.pem # Line 42:Uncomment and change to the chain file retrieved in [1] SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem |
②Reflection and activation of the configuration file
# a2ensite hoge.com-ssl.conf Enabling site hoge.com-ssl.conf. To activate the new configuration, you need to run: systemctl reload apache2 # systemctl restart apache2 # a2dissite default-ssl.conf ←Default disablement # systemctl restart apache2 # a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 |
③http to https redirection
1.How to create an .htaccess file Create a .htaccess file in /var/www/html/hoge.com/ and fill in the following RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 2.How to fill in /vhost-hoge.com.conf # vi /etc/apache2/sites-available/vhost-hoge.com.conf RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
④Configuration and start-up
# a2ensite vhost-hoge.com.conf # systemctl restart apache2 |
3. Setting up SSL/TLS (Let’s Encrypt) on your mail server
3.1 Setting up a virtual host and obtaining a certificate
①Configuring mail hosts on Apache virtual hosts
# cd /etc/apache2/sites-available/ # vi vhost-hoge.com.conf |
Under the virtual host settings for web services, add the following virtual host settings for mail
<VirtualHost *:80> ~Abbreviations~ ServerName mail.hoge.com ServerAdmin hoge@hoge.com DocumentRoot /var/www/html/mail.hoge.com ~Abbreviations~ ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined ~Abbreviations~ </VirtualHost> |
②Create a mail.hoge.com directory in /var/www/html/.
③Obtaining a letsencrypt SSL certificate for your mail server
# certbot certonly –webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com |
3.2 Postfix Configuration
④Fix Postfix configuration file.
Configure SSL/TLS for encrypted communication.
SMTPS uses 465/TCP, POP3S uses 995/TCP and IMAPS uses 993/TCP.
# vi /etc/postfix/main.cf # Add to last line |
# vi /etc/postfix/master.cf submission inet n – y – – smtpd ←Comments will be removed below.(Both SSL and STARTTLS are supported) smtps inet n – y – – smtpd |
Check that the settings are correct (if nothing appears, it’s OK)
# postfix check |
⑤Postfix startup, auto-start configuration
# systemctl start postfix systemctl enable postfix |
3.3 Configure Dovecot
①Modify the Dovecot configuration file
# vi /etc/dovecot/conf.d/10-ssl.conf # line 6:change |
Enable imaps and pop3s, which use encryption, and disable imap and pop3, which communicate in plaintext, by setting “port = 0”.
# vi /etc/dovecot/conf.d/10-master.conf |
service imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { #port = 993 #ssl = yes port = 993 ssl = yes } }service pop3-login { inet_listener pop3 { #port = 110 port = 0 } inet_listener pop3s { #port = 995 #ssl = yes port = 995 ssl = yes } } ・Dovecot SASL Specify the library’s authentication socket file(Per line 113) service auth { (Abbreviation) # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} ↓ unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
・Authentication method setting *Allows plain text passwords, but this is not a problem as they are encrypted using SSL/TLS
# vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes → disable_plaintext_auth = no |
・Specify mailbox location
# vi /etc/dovecot/conf.d/10-mail.conf #mail_location = → mail_location = maildir:~/Maildir |
・Change log output destination
# vi /etc/dovecot/conf.d/10-logging.conf #log_path = syslog → log_path = /var/log/dovecot/dovecot.log |
・Create log output destination
# mkdir /var/log/dovecot |
② Starting Dovecot and configuring auto-start
# systemctl start dovecot systemctl enable dovecot |
③Check that the authentication socket file has been created
# ls -F /var/spool/postfix/private/auth —(The following indications are acceptable)— /var/spool/postfix/private/auth = |
4. Configure SSL/TLS (Let’s Encrypt) for FTP Vsftpd
① Modify the Vsftpd configuration file
# vi /etc/vsftpd.conf #Add the following to the last line # add letsencrypt rsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pem ssl_enable=YESforce_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO#pasv port pasv_enable=YES pasv_min_port=21000 pasv_max_port=21010 # systemctl restart vsftpd |
② Firewall settings
Allows a fixed PASV port other than the ftp port.
# ufw allow 21000:21010/tcp # ufw reload |