1
------
### CentOS 8 / RHEL 8 ### yum install -y httpd mod_ssl curl -O https://dl.eff.org/certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto
# dnf module -y install python36
# dnf -y install gcc mod_ssl python3-virtualenv redhat-rpm-config augeas-libs libffi-devel openssl-devel
# curl -O https://dl.eff.org/certbot-auto
# mv certbot-auto /usr/local/bin/
# chmod 700 /usr/local/bin/certbot-auto
# certbot-auto certonly --webroot -w /var/www/html -d mail.worldcm.tk
Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
dnf is /usr/bin/dnf
dnf is hashed (/usr/bin/dnf)
.....
.....
# for only initial using, register your email address and agree to terms of use
# specify valid email address
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): root@mail.worldcm.tk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# agree to the terms of use
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.worldcm.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.worldcm.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.worldcm.net/privkey.pem
Your cert will expire on 2020-03-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# success if [Congratulations] is shown
# certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory
# cert.pem ⇒ SSL Server cert(includes public-key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ combined file cert.pem and chain.pem
# privkey.pem ⇒ private-key file
# certbot-auto certonly --standalone -d mail.worldcm.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.worldcm.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.worldcm.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.worldcm.net/privkey.pem
Your cert will expire on 2020-03-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# certbot-auto renew
# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out mail_for_iis.pfx
Enter Export Password: # set any export password
Verifying - Enter Export Password:
# vi /etc/postfix/main.cf
### SSL
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.worldcm.tk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.worldcm.tk/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
[root@mail ~]# vi /etc/postfix/master.cf
16 #tlsproxy unix - - n - 0 tlsproxy
17 submission inet n - n - - smtpd
18 -o syslog_name=postfix/submission
19 # -o smtpd_tls_security_level=encrypt
20 -o smtpd_sasl_auth_enable=yes
21 # -o smtpd_tls_auth_only=yes
22 # -o smtpd_reject_unlisted_recipient=no
23 # -o smtpd_client_restrictions=$mua_client_restrictions
24 # -o smtpd_helo_restrictions=$mua_helo_restrictions
25 # -o smtpd_sender_restrictions=$mua_sender_restrictions
26 # -o smtpd_recipient_restrictions=
27 # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
28 # -o milter_macro_daemon_name=ORIGINATING
29 smtps inet n - n - - smtpd
30 -o syslog_name=postfix/smtps
31 -o smtpd_tls_wrappermode=yes
32 -o smtpd_sasl_auth_enable=yes
33 # -o smtpd_reject_unlisted_recipient=no
34 # -o smtpd_client_restrictions=$mua_client_restrictions
35 # -o smtpd_helo_restrictions=$mua_helo_restrictions
36 # -o smtpd_sender_restrictions=$mua_sender_restrictions
37 # -o smtpd_recipient_restrictions=
38 # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
39 # -o milter_macro_daemon_name=ORIGINATING
40 #628 inet n - n - - qmqpd
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: change (if set SSL required, specify [required])
ssl = yes
# line 14,15: specify certificates
ssl_cert = </etc/letsencrypt/live/mail.srv.world/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.srv.world/privkey.pem
[root@mail ~]# systemctl restart postfix dovecot
Auto-Renew Let’s Encrypt SSL Certificate
Lets Encrypt is only valid for 90 days only. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.
To test the auto-renewal process, conduct a dry run test with certbot.
$ sudo /usr/local/bin/certbot-auto renew --dry-run
If no errors were encountered, then it implies you are good to go.
This brings us to the end of this guide. In this guide, we demonstrated how you can use certbot to install and configure the Let’s Encrypt certificate on Apache webserver running on a CentOS 8 system.
Setup Automatic Renewal(crontab)
[root@localhost ~]# echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Setup Auto-renewal
We know that Let’s Encrypt certificates are valid for 90 days. But we can renew the certificates very easily. Just run this command before the expiration date:
certbot renew
Copy
We can also setup a cronjob to renew automatically. Open the cronjob:
crontab -e
Copy
Then add this line:
0 0 * * 1 /usr/local/bin/certbot renew >> /var/log/sslrenew.log
-----