Let's Encrypt
Get SSL Certificates (Let's Encrypt)
# yum --enablerepo=epel -y install certbot# yum -y install certbot python2-certbot-apache mod_ssl
# certbot certonly --webroot -w /var/www/html -d www.worldcm.net
----------------web site-------------------
# for only initial using, register your email address and agree to terms of use# specify valid email address(Enter 'c' to cancel): root@mail.worldcm.net
# agree to the terms of use(A)gree/(C)ancel: A
# answer Yes or No(Y)es/(N)o: Y
-------------------Mail Server----------------------------
# certbot certonly --standalone -d mail.worldcm.net
# update all certs which has less than 30 days expiration# if you'd like to update certs which has more than 30 days expiration, add [--force-renew] option
[root@www ~]# certbot renew # certbot renew --dry-run
# yum install python-certbot-apache
# vi /etc/httpd/conf.d/worldcm.net.conf ---------------------
# vi /etc/httpd/conf.d/mail.your-domain.com.conf
------------No SSL---------------<VirtualHost *:80> ServerName mail.your-domain.com
DocumentRoot /var/www/html/</VirtualHost>----------------------------
-------SSL--------<VirtualHost *:80> ServerName mail.worldcm.net DocumentRoot /var/www/html ServerAlias mail.worldcm.net ErrorLog /var/www/error.log CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.net [OR]RewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost> ------------------------------
<VirtualHost *:80> ServerName mail.worldcm.net DocumentRoot /var/www/html ServerAlias mail.worldcm.net ErrorLog /var/www/error.log CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>
---------------
# certbot --apache -d mail.worldcm.net
# systemctl reload httpd
# systemctl restart httpd.service
[root@mail ~]# ls -al /etc/letsencrypt/live/mail.worldcm.net/total 4drwxr-xr-x 2 root root 117 Oct 18 16:25 .drwx------ 3 root root 60 Oct 18 16:25 ..lrwxrwxrwx 1 root root 44 Oct 18 16:25 cert.pem -> ../../archive/mail.worldcm.net/cert1.pemlrwxrwxrwx 1 root root 45 Oct 18 16:25 chain.pem -> ../../archive/mail.worldcm.net/chain1.pemlrwxrwxrwx 1 root root 49 Oct 18 16:25 fullchain.pem -> ../../archive/mail.worldcm.net/fullchain1.pemlrwxrwxrwx 1 root root 47 Oct 18 16:25 privkey.pem -> ../../archive/mail.worldcm.net/privkey1.pem-rw-r--r-- 1 root root 692 Oct 18 16:25 README # vi /etc/postfix/main.cf
##SASLsmtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yes
smtpd_use_tls = yessmtp_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_cert_file = /etc/letsencrypt/live/mail.worldcm.net/fullchain.pemsmtpd_tls_key_file = /etc/letsencrypt/live/mail.worldcm.net/privkey.pemsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# vi /etc/postfix/master.cf
# line 16,17,19: uncommentsubmission inet n - n - - smtpd -o syslog_name=postfix/submission# -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
# line 26-28: uncommentsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes # vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: changessl = yes# line 14,15: specify sertificates (replace to your own one)ssl_cert = </etc/letsencrypt/live/mail.worldcm.net/fullchain.pemssl_key = </etc/letsencrypt/live/mail.srv.worldcm.net/privkey.pem# line 51: uncomment and addssl_protocols = !SSLv2 !SSLv3
# certbot renew --dry-run OR# certbot renew
# crontab -e
0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log
the certbot command at 2:00 am, every day
$ crontab -e
This will open a text editor where you can add the following:
0 2 * * * /usr/bin/certbot renew --quiet
# systemctl restart postfix dovecot
----------------------------
---------------------------------------XXX------------------------------------------------------
add the following lines into: vi /etc/httpd/conf.d/ssl.conf:
SSLEngine onSSLCertificateFile /etc/letsencrypt/live/example.com/cert.pemSSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pemSSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Save the changes and exit.
Run the following commmand to do a syntax check:
httpd -t
Cron: use# crontab -e
Create the cron entry, such as the following, in your chosen method:
0 3 * * 0 /usr/bin/certbot renew
Configuring automatic certificate renewal
# crontab -e00 08 * * * /usr/bin/certbot renew --post-hook "systemctl restart postfix && systemctl restart dovecot"
----------------XXX-------------------
Install a Let's Encrypt SSL/TLS Certificate on CentOS 7 with Apache Web Server
installing Certbot is through the snap package manager. To install the snap package manager through Yum, you must install the Extra Packages for Enterprise Linux (EPEL) repository, as snap is not present within the default CentOS
install Snap
The current recommended method of installing Certbot is through the snap package manager. To install the snap package manager through Yum, you must install the Extra Packages for Enterprise Linux (EPEL) repository, as snap is not present within the default CentOS repositories.$ yum install epel-releaseWith the EPEL repository added to your CentOS repositories, install the snapd package:
$ yum install snapd
After you've installed the snapd package, it is necessary to enable it through the system service manager:
$ systemctl enable --now snapd.socket
Create a system link to enable support for classic snaps:
$ ln -s /var/lib/snapd/snap /snap
Either log out and back in or restart to update snap's paths.
Update snapd to the latest version.
$ snap install core; snap refresh core
Install Certbot
With the EPEL repository added, install Certbot through snap:
$ snap install --classic certbotGet SSL Certificate
Certbot automatically takes care of SSL certificate management and installation.
Specify a domain, and the current web server in use. In this example, the domain example.com is receiving a certificate:
$ certbot --apache -d example.comIf you require SSL for multiple domains, specify them using the following command, ensuring the first domain specified is the base domain:
$ certbot --apache -d example.com -d www.example.com
Enabling Automatic Certificate Renewal
Let's Encrypt certificates are valid for 90 days and have to be manually renewed afterward. It's suggested to renew the certificates after 60 days though, to prevent potential issues. You can renew certificates by using the following command:
$ certbot renew
To enable automatic certification renewal, create a new cronjob:
$ crontab -e
And then schedule the task to run every Monday at midnight:
0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log
-----------------------------XXX---------------------------------
INSTALL AND CONFIGURE CERTBOT ON APACHE & CENTOS
In this tutorial, we will teach you how to install certbot, which is a tool for quick installation and automatic renewal of Let’s Encrypt certificates.
1) Install Certbot
We need to install Certbot and enable the mod_ssl Apache module on the server. Certbot is a simple and easy to use tool that simplifies server management by automating obtaining certificates and configuring web services to use them.
By default, Certbot package is not available in the CentOS 7 default OS repository. We need to enable the EPEL repository, then install Certbot.
To add the EPEL repository run the following command:
$ yum install epel-release
Once enabled, install all the required packages with the following command:
$ yum install certbot python2-certbot-apache mod_ssl
Once installed, we can proceed to the next step.
2) Obtain and Install SSL for Your Domain
Now that Certbot is installed, you can use it to obtain and install an SSL certificate for your domain.
Simply run the following command to obtain and install an SSL certificate for your domain:
$ certbot --apache -d domain.com
We can also install a single certificate for multiple domains and subdomains hosted on the server with the ‘-d’ flag, e.g.:
$ certbot --apache -d domain.com -d www.domain.com -d domain2.com -d test.domain2.com
We will be asked to provide an email address and agree to the terms of service.
-------------------Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator apache, Installer apacheEnter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): admin@domain.comStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about our workencrypting the web, EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: NStarting new HTTPS connection (1): supporters.eff.orgObtaining a new certificatePerforming the following challenges:http-01 challenge for domain.comWaiting for verification...Cleaning up challengesCreated an SSL vhost at /etc/httpd/conf.d/domain.com-le-ssl.confDeploying Certificate to VirtualHost /etc/httpd/conf.d/domain.com-le-ssl.conf-------------------Type Y and hit [Enter], and you should see the following output: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Here, you need to choose any one option to continue. If you choose option
1, it will only download an SSL certificate and you need to configure Apache manually to use SSL certificate. If you choose option
2, it will automatically download and configure Apache to use SSL certificate. In this case, choose option 2 and hit [Enter]. When the installation is successfully finished, you will see a message similar to this:
- - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations!
You have successfully enabled https://domain.com
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com-0001/privkey.pem Your cert will expire on 2019-10-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The generated certificate files are available in the /etc/letsencrypt/live/domain.com directory. You can check the newly created SSL certificate with the following command:
ls /etc/letsencrypt/live/domain.com/
You should see the following output:
cert.pem chain.pem fullchain.pem privkey.pem
3) Check Your SSL Certificate
Open your web browser and type the URL https://domain.com. To check the SSL certificate in Chrome, click on the padlock icon in the address bar for https://domain.com and from the pop-up box, click on ‘Valid’ under the ‘Certificate’ prompt.
4) Set up Automatic Renewal
By default, Let’s Encrypt certificates are valid for 90 days, so it is recommended to renew the certificate before it expires. Ideally it would be best to automate the renewal process to periodically check and renew the certificate.
We can test the renewal process manually with the following command.
certbot renew --dry-run
The above command will automatically check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
We can also add a cronjob to automatically run the above command twice a day.
To do so, edit the crontab with the following command:
crontab -e
Add the following line:
* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1
Save and close the file.
Congratulations! We have successfully installed and configured Let’s Encrypt with Apache on a CentOS 7 VPS Or Cloud.
-------------------------------XXXXXXXX---------------------------------------------
ffSecuring Email Server Traffic with TLS Certificate
When we configure a desktop email client, enabling encryption is always a good idea. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) from the EPEL repository.
Rocky Linux 9/Alma Linux 9
sudo dnf install epel-release -y
sudo dnf install certbot -y
RHEL 9
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
sudo dnf install certbot -y
If you don’t have a web server running yet, I recommend you install one (Apache or Nginx), because it’s easier to obtain and install TLS certificate with a web server than using other methods. And in a later tutorial, I will show you how to set up webmail, which requires running a web server.
Note that your Rocky Linux 9/Alma Linux 9 server might ship with Apache web server by default.
Apache
If you prefer Apache, run the following command to install it.
sudo dnf install httpd -y
Start Apache and enable auto-start at boot time.
sudo systemctl start httpd
sudo systemctl enable httpd
Install the Certbot Apache plugin.
sudo dnf install python3-certbot-apache -y
Nginx
If you prefer Nginx, run the following command to install it.
sudo dnf install nginx -y
Start Nginx and enable auto-start at boot time.
sudo systemctl start nginx
sudo systemctl enable nginx
Install the Certbot Nginx plugin.
sudo dnf install python3-certbot-nginx -y
Obtaining TLS Certificate with Apache Web Server
You need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/httpd/conf.d/mail.your-domain.com.conf
Then paste the following text into the file.
<VirtualHost *:80> ServerName mail.your-domain.comDocumentRoot /var/www/html/</VirtualHost>
Save and close the file. Reload Apache for the changes to take effect.
sudo systemctl reload httpd
Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt TLS certificate.
sudo certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com
After a while, you should see the following lines which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.
hh
hhh
Obtaining TLS Certificate with Nginx Web Server
You need to have an Nginx virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf
Next, paste the following text into the file.
server { listen 80; listen [::]:80; server_name mail.your-domain.com;root /usr/share/nginx/html/;
location ~ /.well-known/acme-challenge { allow all; }}
----------------------------------------------
Save and close the file. Reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate with Nginx plugin.
sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com
After a while, you should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.
Enabling Submission Service in Postfix
To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server. Edit the master.cf file.
sudo nano /etc/postfix/master.cf
In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before each -o. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line. (By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.
Microsoft Outlook only supports submission over port 465. If you are going to use Microsoft outlook mail client, then you also need to enable submission service on port 465 by adding the following lines in the file.
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
Save and close the file.
Hint: The SMTP protocol is used when an email client submits emails to an SMTP server.
Next, we need to run the following two commands to specify the location of TLS certificate and private key in Postfix configuration file. Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.your-domain.com/ directory.
sudo postconf "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem"
sudo postconf "smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem"
If you want to log TLS connections in the mail log (/var/log/maillog), then run the following two commands.
sudo postconf "smtpd_tls_loglevel = 1"
sudo postconf "smtp_tls_loglevel = 1"
To disable insecure SSL/TLS versions, open the Postfix main configuration file.
sudo nano /etc/postfix/main.cf
Add the following lines at the bottom of the file. (In Nano text editor, you can quickly go to the bottom of a file by pressing Ctrl+W, then Ctrl+V.)
#Force TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
Save and close the file. Then reload Postfix for the changes to take effect.
sudo systemctl restart postfix
If you run the following command, you will see Postfix is now listening on port 587 and 465.
sudo ss -lnpt | grep master
ff