Let's Encrypt
LL
Obtaining TLS Certificate with Apache Web ServerYou need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
# vi /etc/httpd/conf.d/mail.worldcm.net.confThen paste the following text into the file.
<VirtualHost *:80> ServerName mail.worldcm.net
DocumentRoot /var/www/html/</VirtualHost>
Save and close the file. Reload Apache for the changes to take effect.
# systemctl reload httpd
Snappy : Install
# install from EPEL[root@mail]# dnf --enablerepo=epel -y install snapd[root@mail]# ln -s /var/lib/snapd/snap /snap[root@mail]# echo 'export PATH=$PATH:/var/lib/snapd/snap/bin' > /etc/profile.d/snap.sh[root@mail]# systemctl enable --now snapd.service snapd.socket
# list installed packages[root@mail]# snap list
No snaps are installed yet. Try 'snap install hello-world'.
# search packages with words in Snap repository[root@mail]# snap find kubernetesName Version Publisher Notes Summarykubernetes-worker 0.0.2 canonical✓ - A complete Kubernetes workerkubernetes-test 1.23.4 canonical✓ classic tests for kuberneteskubernetes-test-eks 1.10.3 canonical-cloud-snaps classic tests for kubernetesmicrok8s v1.23.4 canonical✓ classic Kubernetes for workstations and ap..........
# install [hello-world] package[root@mail]# snap install hello-world2022-03-14T13:17:41+09:00 INFO Waiting for automatic snapd restart...hello-world 6.4 from Canonical✓ installed
[root@mail]# snap listName Version Rev Tracking Publisher Notescore 16-2.54.3 12725 latest/stable canonical✓ corehello-world 6.4 29 latest/stable canonical✓ -
# show package info[root@mail]# snap info hello-worldname: hello-worldsummary: The 'hello-world' of snapspublisher: Canonical✓store-url: https://snapcraft.io/hello-worldcontact: snaps@canonical.comlicense: unsetdescription: | This is a simple hello world example.commands: - hello-world.env - hello-world.evil - hello-world - hello-world.shsnap-id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQtracking: latest/stablerefresh-date: today at 13:17 JSTchannels: latest/stable: 6.4 2019-04-17 (29) 20kB - latest/candidate: 6.4 2019-04-17 (29) 20kB - latest/beta: 6.4 2019-04-17 (29) 20kB - latest/edge: 6.4 2019-04-17 (29) 20kB -installed: 6.4 (29) 20kB -
# run application[root@mail]# hello-worldHello World!# PATH[root@mail]# which hello-world/var/lib/snapd/snap/bin/hello-world
[root@mail]# ll /var/lib/snapd/snap/bin/hello-worldlrwxrwxrwx. 1 root root 13 Mar 14 13:17 /var/lib/snapd/snap/bin/hello-world -> /usr/bin/snap
# disable application[root@mail]# snap disable hello-worldhello-world disabled
[root@mail]# snap listName Version Rev Tracking Publisher Notescore 16-2.54.3 12725 latest/stable canonical✓ corehello-world 6.4 29 latest/stable canonical✓ disabled
[root@mail]# hello-world-bash: /var/lib/snapd/snap/bin/hello-world: No such file or directory
# enable application[root@mail]# snap enable hello-worldhello-world enabled
[root@mail]# hello-worldHello World!
# uninstall an application# [snap remove] requires [tar] command on the System[root@mail]# snap remove hello-world
hello-world removed[root@mail]# snap listName Version Rev Tracking Publisher Notescore 16-2.54.3 12725 latest/stable canonical✓ core
[root@dlp ~]# snap install certbot --classiccertbot 2.3.0 from Certbot Project (certbot-eff✓) installed
[root@dlp ~]# ln -s /snap/bin/certbot /usr/bin/certbot
Get certificates. [root@dlp ~]# certbot certonly --webroot -w /var/www/html -d mail.worldcm.netSaving debug log to /var/log/letsencrypt/letsencrypt.logEnter email address (used for urgent renewal and security notices)
# for only initial using, register your email address and agree to terms of use# specify valid email address (Enter 'c' to cancel): root@mail.worldcm.net Y Y root@dlp ~]# certbot certonly --standalone -d mail.worldcm.net # systemd timer script is included in Snapd Certbot package[root@dlp ~]# systemctl status snap.certbot.renew.timer
# [renew] is run 2 times every day like follows by default[root@dlp ~]# systemctl cat snap.certbot.renew.timer
# for manual update, do like follows[root@dlp ~]# certbot renew
Mail Server : SSL/TLS Setting
[root@mail ~]# vi /etc/postfix/main.cf
# line 709, 715 : comment out#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
# add to the end (replace certificate to your own one)smtpd_use_tls = yessmtpd_tls_cert_file = /etc/letsencrypt/live/mail.worldcm.netfullchain.pemsmtpd_tls_key_file = /etc/letsencrypt/live/mail.worldcm.netprivkey.pemsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
[root@mail ~]# vi /etc/postfix/master.cf# line 17,18,20 : uncomment
submission inet n - n - - smtpd -o syslog_name=postfix/submission# -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
# line 29-32 : uncommentsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 8 : change (if set SSL required, specify [required])ssl = yes# line 14,15 : specify certificatesssl_cert = </etc/letsencrypt/live/mail.worldcm.netfullchain.pemssl_key = </etc/letsencrypt/live/mail.worldcm.netprivkey.pem
[root@mail ~]# systemctl restart postfix dovecot
[3] If SELinux is enabled, restote context for certificates.[root@mail ~]# restorecon -v /etc/letsencrypt/live/mail.worldcm.netfullchain.pem[root@mail ~]# restorecon -v /etc/letsencrypt/live/mail.worldcm.netprivkey.pem
[4] If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services.SMTP-Submission uses [587/TCP] (used STARTTLS), SMTPS uses [465/TCP], POP3S uses [995/TCP], IMAPS uses [993/TCP].[root@mail ~]# firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps}success[root@mail ~]# firewall-cmd --runtime-to-permanentsuccess
------------------Re Direct SSL web---------------------------
# vi /etc/httpd/conf.d/mail.your-domain.com.conf
------------No SSL---------------<VirtualHost *:80> ServerName mail.your-domain.com
DocumentRoot /var/www/html/</VirtualHost>----------------------------
-------SSL--------<VirtualHost *:80> ServerName mail.worldcm.net DocumentRoot /var/www/html ServerAlias mail.worldcm.net ErrorLog /var/www/error.log CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.net [OR]RewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost> ------------------------------
<VirtualHost *:80> ServerName mail.worldcm.net DocumentRoot /var/www/html ServerAlias mail.worldcm.net ErrorLog /var/www/error.log CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>
---------------
# certbot --apache -d mail.worldcm.net
# systemctl reload httpd
# systemctl restart httpd.service
[root@mail ~]# ls -al /etc/letsencrypt/live/mail.worldcm.net/total 4drwxr-xr-x 2 root root 117 Oct 18 16:25 .drwx------ 3 root root 60 Oct 18 16:25 ..lrwxrwxrwx 1 root root 44 Oct 18 16:25 cert.pem -> ../../archive/mail.worldcm.net/cert1.pemlrwxrwxrwx 1 root root 45 Oct 18 16:25 chain.pem -> ../../archive/mail.worldcm.net/chain1.pemlrwxrwxrwx 1 root root 49 Oct 18 16:25 fullchain.pem -> ../../archive/mail.worldcm.net/fullchain1.pemlrwxrwxrwx 1 root root 47 Oct 18 16:25 privkey.pem -> ../../archive/mail.worldcm.net/privkey1.pem-rw-r--r-- 1 root root 692 Oct 18 16:25 README
root /usr/share/nginx/html/;
location ~ /.well-known/acme-challenge { allow all; }
LL
Obtaining TLS Certificate with Apache Web ServerYou need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
# vi /etc/httpd/conf.d/mail.worldcm.net.confThen paste the following text into the file.
<VirtualHost *:80> ServerName mail.worldcm.net
DocumentRoot /var/www/html/</VirtualHost>
Save and close the file. Reload Apache for the changes to take effect.
# systemctl reload httpd
Snappy : Install
# install from EPEL[root@mail]# dnf --enablerepo=epel -y install snapd[root@mail]# ln -s /var/lib/snapd/snap /snap[root@mail]# echo 'export PATH=$PATH:/var/lib/snapd/snap/bin' > /etc/profile.d/snap.sh[root@mail]# systemctl enable --now snapd.service snapd.socket
# list installed packages[root@mail]# snap list
No snaps are installed yet. Try 'snap install hello-world'.
# search packages with words in Snap repository[root@mail]# snap find kubernetesName Version Publisher Notes Summarykubernetes-worker 0.0.2 canonical✓ - A complete Kubernetes workerkubernetes-test 1.23.4 canonical✓ classic tests for kuberneteskubernetes-test-eks 1.10.3 canonical-cloud-snaps classic tests for kubernetesmicrok8s v1.23.4 canonical✓ classic Kubernetes for workstations and ap..........
# install [hello-world] package[root@mail]# snap install hello-world2022-03-14T13:17:41+09:00 INFO Waiting for automatic snapd restart...hello-world 6.4 from Canonical✓ installed
[root@mail]# snap listName Version Rev Tracking Publisher Notescore 16-2.54.3 12725 latest/stable canonical✓ corehello-world 6.4 29 latest/stable canonical✓ -
# show package info[root@mail]# snap info hello-worldname: hello-worldsummary: The 'hello-world' of snapspublisher: Canonical✓store-url: https://snapcraft.io/hello-worldcontact: snaps@canonical.comlicense: unsetdescription: | This is a simple hello world example.commands: - hello-world.env - hello-world.evil - hello-world - hello-world.shsnap-id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQtracking: latest/stablerefresh-date: today at 13:17 JSTchannels: latest/stable: 6.4 2019-04-17 (29) 20kB - latest/candidate: 6.4 2019-04-17 (29) 20kB - latest/beta: 6.4 2019-04-17 (29) 20kB - latest/edge: 6.4 2019-04-17 (29) 20kB -installed: 6.4 (29) 20kB -
# run application[root@mail]# hello-worldHello World!# PATH[root@mail]# which hello-world/var/lib/snapd/snap/bin/hello-world
[root@mail]# ll /var/lib/snapd/snap/bin/hello-worldlrwxrwxrwx. 1 root root 13 Mar 14 13:17 /var/lib/snapd/snap/bin/hello-world -> /usr/bin/snap
# disable application[root@mail]# snap disable hello-worldhello-world disabled
[root@mail]# snap listName Version Rev Tracking Publisher Notescore 16-2.54.3 12725 latest/stable canonical✓ corehello-world 6.4 29 latest/stable canonical✓ disabled
[root@mail]# hello-world-bash: /var/lib/snapd/snap/bin/hello-world: No such file or directory
# enable application[root@mail]# snap enable hello-worldhello-world enabled
[root@mail]# hello-worldHello World!
# uninstall an application# [snap remove] requires [tar] command on the System[root@mail]# snap remove hello-world
hello-world removed[root@mail]# snap listName Version Rev Tracking Publisher Notescore 16-2.54.3 12725 latest/stable canonical✓ core
Install Certbot client from Snapd.
[root@dlp ~]# snap install certbot --classiccertbot 2.3.0 from Certbot Project (certbot-eff✓) installed
[root@dlp ~]# ln -s /snap/bin/certbot /usr/bin/certbot
Get certificates. [root@dlp ~]# certbot certonly --webroot -w /var/www/html -d mail.worldcm.netSaving debug log to /var/log/letsencrypt/letsencrypt.logEnter email address (used for urgent renewal and security notices)
# for only initial using, register your email address and agree to terms of use# specify valid email address (Enter 'c' to cancel): root@mail.worldcm.net Y Y root@dlp ~]# certbot certonly --standalone -d mail.worldcm.net # systemd timer script is included in Snapd Certbot package[root@dlp ~]# systemctl status snap.certbot.renew.timer
# [renew] is run 2 times every day like follows by default[root@dlp ~]# systemctl cat snap.certbot.renew.timer
# for manual update, do like follows[root@dlp ~]# certbot renew
Mail Server : SSL/TLS Setting
[root@mail ~]# vi /etc/postfix/main.cf
# line 709, 715 : comment out#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
# add to the end (replace certificate to your own one)smtpd_use_tls = yessmtpd_tls_cert_file = /etc/letsencrypt/live/mail.worldcm.netfullchain.pemsmtpd_tls_key_file = /etc/letsencrypt/live/mail.worldcm.netprivkey.pemsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
[root@mail ~]# vi /etc/postfix/master.cf# line 17,18,20 : uncomment
submission inet n - n - - smtpd -o syslog_name=postfix/submission# -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
# line 29-32 : uncommentsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 8 : change (if set SSL required, specify [required])ssl = yes# line 14,15 : specify certificatesssl_cert = </etc/letsencrypt/live/mail.worldcm.netfullchain.pemssl_key = </etc/letsencrypt/live/mail.worldcm.netprivkey.pem
[root@mail ~]# systemctl restart postfix dovecot
[3] If SELinux is enabled, restote context for certificates.[root@mail ~]# restorecon -v /etc/letsencrypt/live/mail.worldcm.netfullchain.pem[root@mail ~]# restorecon -v /etc/letsencrypt/live/mail.worldcm.netprivkey.pem
[4] If Firewalld is running, allow SMTP-Submission/SMTPS/POP3S/IMAPS services.SMTP-Submission uses [587/TCP] (used STARTTLS), SMTPS uses [465/TCP], POP3S uses [995/TCP], IMAPS uses [993/TCP].[root@mail ~]# firewall-cmd --add-service={smtp-submission,smtps,pop3s,imaps}success[root@mail ~]# firewall-cmd --runtime-to-permanentsuccess
------------------Re Direct SSL web---------------------------
# vi /etc/httpd/conf.d/mail.your-domain.com.conf
------------No SSL---------------<VirtualHost *:80> ServerName mail.your-domain.com
DocumentRoot /var/www/html/</VirtualHost>----------------------------
-------SSL--------<VirtualHost *:80> ServerName mail.worldcm.net DocumentRoot /var/www/html ServerAlias mail.worldcm.net ErrorLog /var/www/error.log CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.net [OR]RewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost> ------------------------------
<VirtualHost *:80> ServerName mail.worldcm.net DocumentRoot /var/www/html ServerAlias mail.worldcm.net ErrorLog /var/www/error.log CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>
---------------
# certbot --apache -d mail.worldcm.net
# systemctl reload httpd
# systemctl restart httpd.service
[root@mail ~]# ls -al /etc/letsencrypt/live/mail.worldcm.net/total 4drwxr-xr-x 2 root root 117 Oct 18 16:25 .drwx------ 3 root root 60 Oct 18 16:25 ..lrwxrwxrwx 1 root root 44 Oct 18 16:25 cert.pem -> ../../archive/mail.worldcm.net/cert1.pemlrwxrwxrwx 1 root root 45 Oct 18 16:25 chain.pem -> ../../archive/mail.worldcm.net/chain1.pemlrwxrwxrwx 1 root root 49 Oct 18 16:25 fullchain.pem -> ../../archive/mail.worldcm.net/fullchain1.pemlrwxrwxrwx 1 root root 47 Oct 18 16:25 privkey.pem -> ../../archive/mail.worldcm.net/privkey1.pem-rw-r--r-- 1 root root 692 Oct 18 16:25 README
Obtaining TLS Certificate with Nginx Web Server
Obtaining TLS Certificate with Nginx Web Server
You need to have an Nginx virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf
Next, paste the following text into the file.
server { listen 80; listen [::]:80; server_name mail.your-domain.com;root /usr/share/nginx/html/;
location ~ /.well-known/acme-challenge { allow all; }
}
Save and close the file. Reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate with Nginx plugin.
sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com
LL