1

------

### CentOS 8 / RHEL 8 ###  yum install -y httpd mod_ssl  curl -O https://dl.eff.org/certbot-auto  mv certbot-auto /usr/local/bin/certbot-auto  chmod 0755 /usr/local/bin/certbot-auto

# dnf module -y install python36

# dnf -y install gcc mod_ssl python3-virtualenv redhat-rpm-config augeas-libs libffi-devel openssl-devel

# curl -O https://dl.eff.org/certbot-auto

# mv certbot-auto /usr/local/bin/

# chmod 700 /usr/local/bin/certbot-auto

# certbot-auto certonly --webroot -w /var/www/html -d mail.worldcm.tk

Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)

dnf is /usr/bin/dnf

dnf is hashed (/usr/bin/dnf)

.....

.....

# for only initial using, register your email address and agree to terms of use

# specify valid email address

Enter email address (used for urgent renewal and security notices) 

(Enter 'c' to cancel): root@mail.worldcm.tk

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# agree to the terms of use

(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for mail.worldcm.net

Using the webroot path /var/www/html for all unmatched domains.

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/mail.worldcm.net/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/mail.worldcm.net/privkey.pem

   Your cert will expire on 2020-03-17. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

# success if [Congratulations] is shown

# certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory

# cert.pem       ⇒ SSL Server cert(includes public-key)

# chain.pem      ⇒ intermediate certificate

# fullchain.pem  ⇒ combined file cert.pem and chain.pem

# privkey.pem    ⇒ private-key file

# certbot-auto certonly --standalone -d mail.worldcm.tk

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for mail.worldcm.net

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/mail.worldcm.net/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/mail.worldcm.net/privkey.pem

   Your cert will expire on 2020-03-17. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

   

   

 

# certbot-auto renew

   

   

# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out mail_for_iis.pfx

Enter Export Password:     # set any export password

Verifying - Enter Export Password:

# vi /etc/postfix/main.cf

### SSL

 smtpd_use_tls = yes

 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.worldcm.tk/fullchain.pem

 smtpd_tls_key_file = /etc/letsencrypt/live/mail.worldcm.tk/privkey.pem

 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

[root@mail ~]# vi /etc/postfix/master.cf

     16 #tlsproxy  unix  -       -       n       -       0       tlsproxy

     17 submission inet n       -       n       -       -       smtpd

     18    -o syslog_name=postfix/submission

     19 #  -o smtpd_tls_security_level=encrypt

     20    -o smtpd_sasl_auth_enable=yes

     21 #  -o smtpd_tls_auth_only=yes

     22 #  -o smtpd_reject_unlisted_recipient=no

     23 #  -o smtpd_client_restrictions=$mua_client_restrictions

     24 #  -o smtpd_helo_restrictions=$mua_helo_restrictions

     25 #  -o smtpd_sender_restrictions=$mua_sender_restrictions

     26 #  -o smtpd_recipient_restrictions=

     27 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

     28 #  -o milter_macro_daemon_name=ORIGINATING

     29 smtps     inet  n       -       n       -       -       smtpd

     30    -o syslog_name=postfix/smtps

     31    -o smtpd_tls_wrappermode=yes

     32    -o smtpd_sasl_auth_enable=yes

     33 #  -o smtpd_reject_unlisted_recipient=no

     34 #  -o smtpd_client_restrictions=$mua_client_restrictions

     35 #  -o smtpd_helo_restrictions=$mua_helo_restrictions

     36 #  -o smtpd_sender_restrictions=$mua_sender_restrictions

     37 #  -o smtpd_recipient_restrictions=

     38 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

     39 #  -o milter_macro_daemon_name=ORIGINATING

     40 #628       inet  n       -       n       -       -       qmqpd

  

[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf

# line 8: change (if set SSL required, specify [required])

ssl = yes

# line 14,15: specify certificates

ssl_cert = </etc/letsencrypt/live/mail.srv.world/fullchain.pem

ssl_key = </etc/letsencrypt/live/mail.srv.world/privkey.pem

[root@mail ~]# systemctl restart postfix dovecot

Auto-Renew Let’s Encrypt SSL Certificate

Lets Encrypt is only valid for 90 days only. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.

To test the auto-renewal process, conduct a dry run test with certbot.

$ sudo /usr/local/bin/certbot-auto renew --dry-run

If no errors were encountered, then it implies you are good to go.

This brings us to the end of this guide. In this guide, we demonstrated how you can use certbot to install and configure the Let’s Encrypt certificate on Apache webserver running on a CentOS 8 system.

Setup Automatic Renewal(crontab)

[root@localhost ~]# echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Setup Auto-renewal

We know that Let’s Encrypt certificates are valid for 90 days. But we can renew the certificates very easily. Just run this command before the expiration date:

certbot renew

Copy

We can also setup a cronjob to renew automatically. Open the cronjob:

crontab -e

Copy

Then add this line:

0 0 * * 1 /usr/local/bin/certbot renew >> /var/log/sslrenew.log

-----