Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP
$ crontab -e
This will open a text editor where you can add the following:
0 2 * * * /usr/bin/certbot renew --quiet
OLD: /etc/webmin/miniserv.pem
Private key file : /etc/letsencrypt/live/mail.worldcm.net/privkey.pem
Certificate file : /etc/letsencrypt/live/mail.worldcm.net/fullchain.pem
---------------------------------------XXX------------------------------------------------------
Either log out and back in or restart to update snap's paths.
Update snapd to the latest version.
$ snap install core; snap refresh core
With the EPEL repository added, install Certbot through snap:
$ snap install --classic certbotCertbot automatically takes care of SSL certificate management and installation.
Specify a domain, and the current web server in use. In this example, the domain example.com is receiving a certificate:
$ certbot --apache -d example.comIf you require SSL for multiple domains, specify them using the following command, ensuring the first domain specified is the base domain:
$ certbot --apache -d example.com -d www.example.com
Let's Encrypt certificates are valid for 90 days and have to be manually renewed afterward. It's suggested to renew the certificates after 60 days though, to prevent potential issues. You can renew certificates by using the following command:
$ certbot renew
To enable automatic certification renewal, create a new cronjob:
$ crontab -e
And then schedule the task to run every Monday at midnight:
0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log
-----------------------------XXX---------------------------------
In this tutorial, we will teach you how to install certbot, which is a tool for quick installation and automatic renewal of Let’s Encrypt certificates.
We need to install Certbot and enable the mod_ssl Apache module on the server. Certbot is a simple and easy to use tool that simplifies server management by automating obtaining certificates and configuring web services to use them.
By default, Certbot package is not available in the CentOS 7 default OS repository. We need to enable the EPEL repository, then install Certbot.
To add the EPEL repository run the following command:
$ yum install epel-release
Once enabled, install all the required packages with the following command:
$ yum install certbot python2-certbot-apache mod_ssl
Once installed, we can proceed to the next step.
Now that Certbot is installed, you can use it to obtain and install an SSL certificate for your domain.
Simply run the following command to obtain and install an SSL certificate for your domain:
$ certbot --apache -d domain.com
We can also install a single certificate for multiple domains and subdomains hosted on the server with the ‘-d’ flag, e.g.:
$ certbot --apache -d domain.com -d www.domain.com -d domain2.com -d test.domain2.com
We will be asked to provide an email address and agree to the terms of service.
-------------------Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator apache, Installer apacheEnter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): admin@domain.comStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about our workencrypting the web, EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: NStarting new HTTPS connection (1): supporters.eff.orgObtaining a new certificatePerforming the following challenges:http-01 challenge for domain.comWaiting for verification...Cleaning up challengesCreated an SSL vhost at /etc/httpd/conf.d/domain.com-le-ssl.confDeploying Certificate to VirtualHost /etc/httpd/conf.d/domain.com-le-ssl.confHere, you need to choose any one option to continue. If you choose option
1, it will only download an SSL certificate and you need to configure Apache manually to use SSL certificate. If you choose option
2, it will automatically download and configure Apache to use SSL certificate. In this case, choose option 2 and hit [Enter]. When the installation is successfully finished, you will see a message similar to this:
- - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations!
You have successfully enabled https://domain.com
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com-0001/privkey.pem Your cert will expire on 2019-10-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The generated certificate files are available in the /etc/letsencrypt/live/domain.com directory. You can check the newly created SSL certificate with the following command:
ls /etc/letsencrypt/live/domain.com/
You should see the following output:
cert.pem chain.pem fullchain.pem privkey.pem
Open your web browser and type the URL https://domain.com. To check the SSL certificate in Chrome, click on the padlock icon in the address bar for https://domain.com and from the pop-up box, click on ‘Valid’ under the ‘Certificate’ prompt.
By default, Let’s Encrypt certificates are valid for 90 days, so it is recommended to renew the certificate before it expires. Ideally it would be best to automate the renewal process to periodically check and renew the certificate.
We can test the renewal process manually with the following command.
certbot renew --dry-run
The above command will automatically check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
We can also add a cronjob to automatically run the above command twice a day.
To do so, edit the crontab with the following command:
crontab -e
Add the following line:
* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1
Save and close the file.
Congratulations! We have successfully installed and configured Let’s Encrypt with Apache on a CentOS 7 VPS Or Cloud.
-------------------------------XXXXXXXX---------------------------------------------
ffWhen we configure a desktop email client, enabling encryption is always a good idea. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) from the EPEL repository.
Rocky Linux 9/Alma Linux 9
sudo dnf install epel-release -y
sudo dnf install certbot -y
RHEL 9
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
sudo dnf install certbot -y
If you don’t have a web server running yet, I recommend you install one (Apache or Nginx), because it’s easier to obtain and install TLS certificate with a web server than using other methods. And in a later tutorial, I will show you how to set up webmail, which requires running a web server.
Note that your Rocky Linux 9/Alma Linux 9 server might ship with Apache web server by default.
If you prefer Apache, run the following command to install it.
sudo dnf install httpd -y
Start Apache and enable auto-start at boot time.
sudo systemctl start httpd
sudo systemctl enable httpd
Install the Certbot Apache plugin.
sudo dnf install python3-certbot-apache -y
If you prefer Nginx, run the following command to install it.
sudo dnf install nginx -y
Start Nginx and enable auto-start at boot time.
sudo systemctl start nginx
sudo systemctl enable nginx
Install the Certbot Nginx plugin.
sudo dnf install python3-certbot-nginx -y
You need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/httpd/conf.d/mail.your-domain.com.conf
Then paste the following text into the file.
<VirtualHost *:80> ServerName mail.your-domain.comSave and close the file. Reload Apache for the changes to take effect.
sudo systemctl reload httpd
Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt TLS certificate.
sudo certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com
After a while, you should see the following lines which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.
hh
hhh
You need to have an Nginx virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf
Next, paste the following text into the file.
server { listen 80; listen [::]:80; server_name mail.your-domain.com;Save and close the file. Reload Nginx for the changes to take effect.
systemctl reload nginx
Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate with Nginx plugin.
certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com
After a while, you should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.
To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server. Edit the master.cf file.
vi /etc/postfix/master.cf
In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before each -o. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line. (By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/authThe above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.
Microsoft Outlook only supports submission over port 465. If you are going to use Microsoft outlook mail client, then you also need to enable submission service on port 465 by adding the following lines in the file.
smtps inet n - y - - smtpdvi -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/authSave and close the file.
Hint: The SMTP protocol is used when an email client submits emails to an SMTP server.
Next, we need to run the following two commands to specify the location of TLS certificate and private key in Postfix configuration file. Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.your-domain.com/ directory.
postconf "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem"
postconf "smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem"
If you want to log TLS connections in the mail log (/var/log/maillog), then run the following two commands.
postconf "smtpd_tls_loglevel = 1"
postconf "smtp_tls_loglevel = 1"
To disable insecure SSL/TLS versions, open the Postfix main configuration file.
sudo nano /etc/postfix/main.cf
Add the following lines at the bottom of the file. (In Nano text editor, you can quickly go to the bottom of a file by pressing Ctrl+W, then Ctrl+V.)
Save and close the file. Then reload Postfix for the changes to take effect.
sudo systemctl restart postfix
If you run the following command, you will see Postfix is now listening on port 587 and 465.
sudo ss -lnpt | grep master