Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP

Let's Encrypt

Get SSL Certificates (Let's Encrypt)

# yum --enablerepo=epel -y install certbot# yum -y install certbot python2-certbot-apache mod_ssl

# certbot certonly --webroot -w /var/www/html -d www.worldcm.net
                                ----------------web site-------------------
# for only initial using, register your email address and agree to terms of use# specify valid email address(Enter 'c' to cancel): root@mail.worldcm.net
# agree to the terms of use(A)gree/(C)ancel: A
# answer Yes or No(Y)es/(N)o: Y
                  -------------------Mail Server----------------------------
# certbot certonly --standalone -d mail.worldcm.net
# update all certs which has less than 30 days expiration# if you'd like to update certs which has more than 30 days expiration, add [--force-renew] option
[root@www ~]# certbot renew            # certbot renew --dry-run

# yum install python-certbot-apache

# vi /etc/httpd/conf.d/worldcm.net.conf                  ---------------------

# vi /etc/httpd/conf.d/mail.your-domain.com.conf
------------No SSL---------------<VirtualHost *:80>                ServerName mail.your-domain.com
        DocumentRoot /var/www/html/</VirtualHost>----------------------------

          -------SSL--------<VirtualHost *:80>    ServerName mail.worldcm.net    DocumentRoot /var/www/html    ServerAlias mail.worldcm.net    ErrorLog /var/www/error.log    CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.net [OR]RewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>                  ------------------------------

<VirtualHost *:80>    ServerName mail.worldcm.net    DocumentRoot /var/www/html    ServerAlias mail.worldcm.net    ErrorLog /var/www/error.log    CustomLog /var/www/requests.log combinedRewriteEngine onRewriteCond %{SERVER_NAME} =mail.worldcm.netRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>

---------------
# certbot --apache -d mail.worldcm.net

# systemctl reload httpd
# systemctl restart httpd.service

[root@mail ~]# ls -al /etc/letsencrypt/live/mail.worldcm.net/total 4drwxr-xr-x 2 root root 117 Oct 18 16:25 .drwx------ 3 root root 60 Oct 18 16:25 ..lrwxrwxrwx 1 root root 44 Oct 18 16:25 cert.pem -> ../../archive/mail.worldcm.net/cert1.pemlrwxrwxrwx 1 root root 45 Oct 18 16:25 chain.pem -> ../../archive/mail.worldcm.net/chain1.pemlrwxrwxrwx 1 root root 49 Oct 18 16:25 fullchain.pem -> ../../archive/mail.worldcm.net/fullchain1.pemlrwxrwxrwx 1 root root 47 Oct 18 16:25 privkey.pem -> ../../archive/mail.worldcm.net/privkey1.pem-rw-r--r-- 1 root root 692 Oct 18 16:25 README      # vi /etc/postfix/main.cf

##SASLsmtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yes
smtpd_use_tls = yessmtp_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_cert_file = /etc/letsencrypt/live/mail.worldcm.net/fullchain.pemsmtpd_tls_key_file = /etc/letsencrypt/live/mail.worldcm.net/privkey.pemsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# vi /etc/postfix/master.cf
# line 16,17,19: uncommentsubmission inet n - n - - smtpd  -o syslog_name=postfix/submission# -o smtpd_tls_security_level=encrypt  -o smtpd_sasl_auth_enable=yes
# line 26-28: uncommentsmtps inet n - n - - smtpd  -o syslog_name=postfix/smtps  -o smtpd_tls_wrappermode=yes    # vi /etc/dovecot/conf.d/10-ssl.conf
# line 8: changessl = yes# line 14,15: specify sertificates (replace to your own one)ssl_cert = </etc/letsencrypt/live/mail.worldcm.net/fullchain.pemssl_key = </etc/letsencrypt/live/mail.srv.worldcm.net/privkey.pem# line 51: uncomment and addssl_protocols = !SSLv2 !SSLv3

# certbot renew --dry-run          OR# certbot renew
# crontab -e
0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log

the certbot command at 2:00 am, every day

$ crontab -e

This will open a text editor where you can add the following:

0 2 * * * /usr/bin/certbot renew --quiet

# systemctl restart postfix dovecot
-------------Webmin---------------
Webmin - SSL Encryption

OLD: /etc/webmin/miniserv.pem

Private key file : /etc/letsencrypt/live/mail.worldcm.net/privkey.pem

Certificate file : /etc/letsencrypt/live/mail.worldcm.net/fullchain.pem

---------------------------------------XXX------------------------------------------------------

add the following lines into: vi /etc/httpd/conf.d/ssl.conf:
SSLEngine onSSLCertificateFile /etc/letsencrypt/live/example.com/cert.pemSSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pemSSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Save the changes and exit.
Run the following commmand to do a syntax check:
httpd -t

Cron: use# crontab -e
Create the cron entry, such as the following, in your chosen method:
0 3 * * 0 /usr/bin/certbot renew

Configuring automatic certificate renewal
# crontab -e00 08 * * * /usr/bin/certbot renew --post-hook "systemctl restart postfix && systemctl restart dovecot"

----------------XXX-------------------

Install a Let's Encrypt SSL/TLS Certificate on CentOS 7 with Apache Web Server

installing Certbot is through the snap package manager. To install the snap package manager through Yum, you must install the Extra Packages for Enterprise Linux (EPEL) repository, as snap is not present within the default CentOS

install Snap

The current recommended method of installing Certbot is through the snap package manager. To install the snap package manager through Yum, you must install the Extra Packages for Enterprise Linux (EPEL) repository, as snap is not present within the default CentOS repositories.$ yum install epel-release
With the EPEL repository added to your CentOS repositories, install the snapd package:
$ yum install snapd
After you've installed the snapd package, it is necessary to enable it through the system service manager:
$ systemctl enable --now snapd.socket
Create a system link to enable support for classic snaps:
$ ln -s /var/lib/snapd/snap /snap

Either log out and back in or restart to update snap's paths.
Update snapd to the latest version.
$ snap install core; snap refresh core

Install Certbot

With the EPEL repository added, install Certbot through snap:

$ snap install --classic certbot

Get SSL Certificate

Certbot automatically takes care of SSL certificate management and installation.

Specify a domain, and the current web server in use. In this example, the domain example.com is receiving a certificate:

$ certbot --apache -d example.com

If you require SSL for multiple domains, specify them using the following command, ensuring the first domain specified is the base domain:

$ certbot --apache -d example.com -d www.example.com

Enabling Automatic Certificate Renewal

Let's Encrypt certificates are valid for 90 days and have to be manually renewed afterward. It's suggested to renew the certificates after 60 days though, to prevent potential issues. You can renew certificates by using the following command:

$ certbot renew

To enable automatic certification renewal, create a new cronjob:

$ crontab -e

And then schedule the task to run every Monday at midnight:

0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log

-----------------------------XXX---------------------------------

INSTALL AND CONFIGURE CERTBOT ON APACHE & CENTOS

In this tutorial, we will teach you how to install certbot, which is a tool for quick installation and automatic renewal of Let’s Encrypt certificates.

1) Install Certbot

We need to install Certbot and enable the mod_ssl Apache module on the server. Certbot is a simple and easy to use tool that simplifies server management by automating obtaining certificates and configuring web services to use them.

By default, Certbot package is not available in the CentOS 7 default OS repository. We need to enable the EPEL repository, then install Certbot.

To add the EPEL repository run the following command:

$ yum install epel-release

Once enabled, install all the required packages with the following command:

$ yum install certbot python2-certbot-apache mod_ssl

Once installed, we can proceed to the next step.

2) Obtain and Install SSL for Your Domain

Now that Certbot is installed, you can use it to obtain and install an SSL certificate for your domain.

Simply run the following command to obtain and install an SSL certificate for your domain:

$ certbot --apache -d domain.com

We can also install a single certificate for multiple domains and subdomains hosted on the server with the ‘-d’ flag, e.g.:

$ certbot --apache -d domain.com -d www.domain.com -d domain2.com -d test.domain2.com

We will be asked to provide an email address and agree to the terms of service.

-------------------Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator apache, Installer apacheEnter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): admin@domain.comStarting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about our workencrypting the web, EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: NStarting new HTTPS connection (1): supporters.eff.orgObtaining a new certificatePerforming the following challenges:http-01 challenge for domain.comWaiting for verification...Cleaning up challengesCreated an SSL vhost at /etc/httpd/conf.d/domain.com-le-ssl.confDeploying Certificate to VirtualHost /etc/httpd/conf.d/domain.com-le-ssl.conf

-------------------Type Y and hit [Enter], and you should see the following output: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Here, you need to choose any one option to continue. If you choose option

1, it will only download an SSL certificate and you need to configure Apache manually to use SSL certificate. If you choose option

2, it will automatically download and configure Apache to use SSL certificate. In this case, choose option 2 and hit [Enter]. When the installation is successfully finished, you will see a message similar to this:

- - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations!

You have successfully enabled https://domain.com

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com-0001/privkey.pem Your cert will expire on 2019-10-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

The generated certificate files are available in the /etc/letsencrypt/live/domain.com directory. You can check the newly created SSL certificate with the following command:

ls /etc/letsencrypt/live/domain.com/

You should see the following output:

cert.pem chain.pem fullchain.pem privkey.pem

3) Check Your SSL Certificate

Open your web browser and type the URL https://domain.com. To check the SSL certificate in Chrome, click on the padlock icon in the address bar for https://domain.com and from the pop-up box, click on ‘Valid’ under the ‘Certificate’ prompt.

4) Set up Automatic Renewal

By default, Let’s Encrypt certificates are valid for 90 days, so it is recommended to renew the certificate before it expires. Ideally it would be best to automate the renewal process to periodically check and renew the certificate.

We can test the renewal process manually with the following command.

certbot renew --dry-run

The above command will automatically check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

We can also add a cronjob to automatically run the above command twice a day.

To do so, edit the crontab with the following command:

crontab -e

Add the following line:

* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

Save and close the file.

Congratulations! We have successfully installed and configured Let’s Encrypt with Apache on a CentOS 7 VPS Or Cloud.

-------------------------------XXXXXXXX---------------------------------------------

Securing Email Server Traffic with TLS Certificate

When we configure a desktop email client, enabling encryption is always a good idea. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) from the EPEL repository.

Rocky Linux 9/Alma Linux 9

sudo dnf install epel-release -y

sudo dnf install certbot -y

RHEL 9

sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

sudo dnf install certbot -y

If you don’t have a web server running yet, I recommend you install one (Apache or Nginx), because it’s easier to obtain and install TLS certificate with a web server than using other methods. And in a later tutorial, I will show you how to set up webmail, which requires running a web server.

Note that your Rocky Linux 9/Alma Linux 9 server might ship with Apache web server by default.

Apache

If you prefer Apache, run the following command to install it.

sudo dnf install httpd -y

Start Apache and enable auto-start at boot time.

sudo systemctl start httpd

sudo systemctl enable httpd

Install the Certbot Apache plugin.

sudo dnf install python3-certbot-apache -y

Nginx

If you prefer Nginx, run the following command to install it.

sudo dnf install nginx -y

Start Nginx and enable auto-start at boot time.

sudo systemctl start nginx

sudo systemctl enable nginx

Install the Certbot Nginx plugin.

sudo dnf install python3-certbot-nginx -y

Obtaining TLS Certificate with Apache Web Server

You need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/httpd/conf.d/mail.your-domain.com.conf

Then paste the following text into the file.

<VirtualHost *:80> ServerName mail.your-domain.com
DocumentRoot /var/www/html/</VirtualHost>

Save and close the file. Reload Apache for the changes to take effect.

sudo systemctl reload httpd

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt TLS certificate.

sudo certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com

After a while, you should see the following lines which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

hhh

Obtaining TLS Certificate with Nginx Web Server

You need to have an Nginx virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf

Next, paste the following text into the file.

server {      listen 80;      listen [::]:80;      server_name mail.your-domain.com;
      root /usr/share/nginx/html/;
      location ~ /.well-known/acme-challenge {         allow all;      }}

----------------------------------------------

Save and close the file. Reload Nginx for the changes to take effect.

systemctl reload nginx

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate with Nginx plugin.

certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email you@example.com -d mail.your-domain.com

After a while, you should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

Enabling Submission Service in Postfix

To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server. Edit the master.cf file.

vi /etc/postfix/master.cf

In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before each -o. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line. (By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)

submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth

The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.

Microsoft Outlook only supports submission over port 465. If you are going to use Microsoft outlook mail client, then you also need to enable submission service on port 465 by adding the following lines in the file.

smtps inet n - y - - smtpdvi -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth

Save and close the file.

Hint: The SMTP protocol is used when an email client submits emails to an SMTP server.

Next, we need to run the following two commands to specify the location of TLS certificate and private key in Postfix configuration file. Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.your-domain.com/ directory.

postconf "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem"

postconf "smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem"

If you want to log TLS connections in the mail log (/var/log/maillog), then run the following two commands.

postconf "smtpd_tls_loglevel = 1"

postconf "smtp_tls_loglevel = 1"

To disable insecure SSL/TLS versions, open the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following lines at the bottom of the file. (In Nano text editor, you can quickly go to the bottom of a file by pressing Ctrl+W, then Ctrl+V.)

#Force TLSv1.3 or TLSv1.2smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Save and close the file. Then reload Postfix for the changes to take effect.

sudo systemctl restart postfix

If you run the following command, you will see Postfix is now listening on port 587 and 465.

sudo ss -lnpt | grep master

Page updated

Google Sites

Report abuse