Difference between revisions of "Installing lets-encrypt SSL certificate"
From Notes_Wiki
(Created page with "<yambe:breadcrumb>Apache_web_server_configuration|Apache web server configuration</yambe:breadcrumb> =Installing lets-encrypt SSL certificate= Lets encrypt provides free auto...") |
m |
||
Line 40: | Line 40: | ||
#:: 3 5 * * 0 certbot renew | #:: 3 5 * * 0 certbot renew | ||
#:</pre> | #:</pre> | ||
#:: This would run '<tt>certbot renew</tt>' command on 05:03 every Sunday. You should randomize hour and minute while taking above example configuration | #:: This would run '<tt>certbot renew</tt>' command on 05:03 every Sunday. You should randomize hour and minute while taking above example configuration. | ||
#The above crontab only renews certificates. For automatic restart of various services after renewal, use below instead: | |||
#:<pre> | |||
#:: 3 5 * * 0 certbot renew; systemctl restart httpd; systemctl restart postfix; systemctl restart dovecot; | |||
#:</pre> | |||
Refer: | Refer: |
Revision as of 12:36, 2 April 2019
<yambe:breadcrumb>Apache_web_server_configuration|Apache web server configuration</yambe:breadcrumb>
Installing lets-encrypt SSL certificate
Lets encrypt provides free automated SSL certificates. This is aservice run by Internet Security Research Group (ISRG). Refer https://letsencrypt.org/about/
Obtaining certificates for apache
To obtain a lets-encrypt SSL certificate for your domain for apache web server on top of CentOS 7.0 follow these steps:
- Install required packages and run cert-bot using:
- yum -y install epel-release
- yum -y install python2-certbot-apache
- certbot --apache
- This assumes use of httpd with one or more VirtualHost(s) in '/etc/httpd/conf/httpd.conf' file. You can choose to automatically create http to https redirect, if it is desired. That would only add following configuration to corresponding virtualhost
- RewriteEngine on
- RewriteCond %{SERVER_NAME} =mail.rekallsoftware.com
- RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
- The certificate information is created in '/etc/httpd/conf/httpd-le-ssl.conf'
- If mod-ssl is installed then we need to remove line
- Include /etc/httpd/conf/httpd-le-ssl.conf
-
- from httpd.conf bottom and add it before first VirtualHost for _default in ssl.conf. This way all Listen 443 etc. configuration applies then lets-encrypt SSL certificates are configured and then only default certificates are used for other domains.
- Restart web server
- systemctl restart httpd
-
- and test that configuration works by opening site in browser
- Test that renewal would work properly. This is important as lets encrypt certificates are valid only for 90 days
- certbot renew --dry-run
- Add 'certbot renew' to cron. It renews only when certificate is close to expiry. Website recommends running it twice daily, which might be an overkill. To run this once every week use:
- 3 5 * * 0 certbot renew
-
- This would run 'certbot renew' command on 05:03 every Sunday. You should randomize hour and minute while taking above example configuration.
- The above crontab only renews certificates. For automatic restart of various services after renewal, use below instead:
- 3 5 * * 0 certbot renew; systemctl restart httpd; systemctl restart postfix; systemctl restart dovecot;
Refer:
Using obtained certificates for postfix
For configuring certificates in postfix after they have been created for use with apache:
- Edit /etc/postfix/main.cf and add:
- smtpd_tls_cert_file = /etc/letsencrypt/live/mail.rekallsoftware.com/fullchain.pem
- smtpd_tls_key_file = /etc/letsencrypt/live/mail.rekallsoftware.com/privkey.pem
- smtpd_tls_security_level = may
- smtp_tls_security_level = may
- smtp_tls_note_starttls_offer = yes
- smtpd_tls_received_header = yes
-
- Here replace mail.rekallsoftware.com with your verified domain for postfix to use
- systemctl restart postfix
- systemctl status postfix
- Optionally validate using:
- openssl s_client -connect mail.rekallsoftware.com:25 -servername mail.rekallsoftware.com -starttls smtp
- openssl s_client -connect mail.rekallsoftware.com:587 -servername mail.rekallsoftware.com -starttls smtp
- openssl s_client -connect mail.rekallsoftware.com:465 -servername mail.rekallsoftware.com -starttls smtp
-
- after replacing mail.rekallsoftware.com with desired domain name
Refer:
- https://www.namecheap.com/support/knowledgebase/article.aspx/9795/69/installing-and-configuring-ssl-on-postfixdovecot-mail-server
- https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
Using obtained certificate in dovecot
If certificates are already downloaded using apache and the same should be configured for dovecot for POP3 and IMAP, then use:
- Edit /etc/dovecot/conf.d/10-ssl.conf and set values as follows:
- ssl_cert = </etc/letsencrypt/live/mail.rekallsoftware.com/fullchain.pem
- ssl_key = </etc/letsencrypt/live/mail.rekallsoftware.com/privkey.pem
- ssl_protocols = !SSLv2 !SSLv3
- ssl_cipher_list = HIGH:!SSLv2:!aNULL@STRENGTH
- ssl_prefer_server_ciphers = yes
-
- after replacing mail.rekallsoftware.com with appropriate domain. Note that '<' before path is not a typing mistake. It is required.
- systemctl restart dovecot
- Validate certificate with
- openssl s_client -connect mail.rekallsoftware.com:993 -servername mail.rekallsoftware.com
-
- after replacing mail.rekallsoftware.com with appropriate name
Refer:
<yambe:breadcrumb>Apache_web_server_configuration|Apache web server configuration</yambe:breadcrumb>