Ubuntu Server23.04 ; Web server, Mail server SSL conversion (Let's Encrypt)

1.Obtain a certificate (Let's Encrypt)

1.1 advance preparation

1.Enable mod_ssl

2.Package management system Snappy installed
Let's Encrypt's SSL certificate issuing tool "certbot" is recommended to be installed using "snap" after 2021, so install Snapd first. (It can also be installed using the conventional method with dnf or yum)

Bring snapd version up to date

Version Check

1.2.certbot package install

Create symbolic link to /snap/bin/certbot


1.3 Obtain a Let's Encrypt Certificate

It is assumed that a web server such as Apache httpd or Nginx is running.
If the web server is not running on the server where the work is to be performed, follow the procedure below under "Obtaining a Let's Encrypt certificate when the web server is not running".
It is also assumed that the server on which the work is to be performed (the server with the FQDN of the server from which you want to obtain the certificate) is accessible from the Internet at port 80.

「Successfully received certificate.」
# The following certificate is obtained under [/etc/letsencrypt/live//] as described in the message

cert.pem ⇒ SSL server certificate (including public key)
chain.pem ⇒ intermediate certificate
fullchain.pem ⇒ a combined file of cert.pem and chain.pem
privkey.pem ⇒ private key for public key

Obtaining a Let's Encrypt certificate when the web server is not running
It is a prerequisite that the server on which this work is performed can be accessed from the Internet at port 80.

1.4 Automatic renewal of certificates (Let's Encrypt)

①Pre-registration testing
First, test the automatic renewal using the following --dry-run option. With this option, the certificate is not renewed, but only the operation is tested, so there is no need to worry about being caught by the limit on the number of times a certificate can be obtained.

When you install the snap version of certbot, the automatic certificate renewal function is also installed.

snap.certbot.renew.timer is registered
Check the unit file for snap.certbot.renew.timer

According to the above settings, it will attempt to update at 3:51 and 14:39 every day as specified in the OnCalender parameter (however, the set time will change randomly for each update).

Check the unit file snap.certbot.renew.service

However, the web server that uses the certificate will not be restarted, so set up a script that will run automatically after the update

2. SSL/TLS (Let's Encrypt) configuration for Apache2

①Edit Apache2 SSL-related configuration files

②Reflecting and activating the configuration file

③http to https redirect

One of the following methods

④Reflection of settings and startup

Apache Restart

3. SSL/TLS (Let's Encrypt) settings on the mail server

3.1 Obtaining a certificate for the mail server

Obtain a certificate for the mail server, but it cannot be obtained in the same way as above, so the following with the "--standalone" option fails.

If I stop the web server once and then do it, it succeeds as follows

3.2 Postfix Configuration

SMTP-Submission is [587/TCP], SMTPS is [465/TCP].

3.3 Dovecot Configuration

Allow Port 587

3.4 Thunderbird Settings

Incoming server

Port  :  143
Connection security   :  STARTTLS
Authentication method  :  Normal password

Sending server

Port   :  587
Connection security   :  STARTTLS
Authentication method  :  Normal password