View Source:
LetsEncryptSetup
You are viewing an old revision of this page.
View the current version.
!!! Let's Encrypt! [[https://letsencrypt.org/|Let's Encryptl]] is a free certificate authority that was launched earlier this year. What that means is you no longer have to choose between self-signed certificates or buying certificates to secure your web site and other services. Now, you can use their tools to create certificates and automate renewals. Using these certificates also means an end to annoying 'untrusted site' popups for your users. !! My Setup I have a ~CentOS 6 box running apache for a webmail interface. This machine also uses sendmail to send and receive mail for the domain, and supports encrypted imap via dovecot. My goal was to use the same certificate named mail.example.com to encrypt all three. !! Get Started First, I followed [[https://certbot.eff.org/#centosrhel6-apache|the guide]] to download and install **certbot**, the Let's Encrypt client. Highlights: <pre> # mkdir /root/bin # cd /root/bin # wget https://dl.eff.org/certbot-auto # chmod a+x certbot-auto # /root/bin/certbot-auto --apache --email letsencrypt@example.com --agreetos --domain mail.example.com certonly </pre> Note that I used the <code>certonly</code> option to only generate the certificates, not install them in apache. I initially let certbot automatically configure my apache, but it got all confused about my virtual host setup. It still worked, but ultimately it seemed simpler to do the config file editing myself. The other options bypass the questions in the automated installer. The address you give the <code>--email</code> should be a valid address which can receive mail. The <code>--domain</code> argument specifies the domain you are creating the certificate for. This confused me at first, because I thought I was supposed to use the actual dns domain (example.com). What you actually need to put here is the name your webserver presents to the outside world, in this case <code>mail.example.com</code>. This name will be used to generate your SSL certificates and any service using it will have to use the same name. Wildcard certificates are not supported. In my case this wasn't a problem because apache, sendmail, and dovecot all run on the same box as <code>mail.example.com</code>. Obviously if your services run under different dns names then you will need to call certbot with multiple domain arguments to generate certs for each one. certbot will validate that your webserver actually is authoritative for your domain, and then it will issue you a certificate. Once that process is done, your new certificate is in <code>/etc/letsencrypt/live/mail.example.com</code>. !! Setting up Apache I have one virtual host in apache, and it's serving the Squirrelmail webmail client. I of course want to encrypt all traffic to and from this webserver because potentially sensitive information is involved (user mail). To make that happen, I configured my ~VirtualHost entries in /etc/httpd/conf/http.conf as follows: <pre> <VirtualHost *:443> ServerName mail.example.com ServerAdmin webmaster@example.com DocumentRoot /usr/share/squirrelmail ErrorLog /var/log/httpd/mail.example.com-mail-error_log CustomLog /var/log/httpd/mail.example.com-mail-combined_log combined SSLEngine on SSLCertificateChainFile /etc/letsencrypt/live/mail.example.com/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.com/privkey.pem SSLCertificateFile /etc/letsencrypt/live/mail.example.com/cert.pem </VirtualHost> <VirtualHost *:80> ServerName mail.example.com RedirectMatch permanent ^/(.*) https://mail.example.com/$1 </VirtualHost> </pre> The virtual host on port 80 redirects all traffic to port 443 to force https. The server on port 443 uses my Lets Encrypt certificates to ssl-encrypt all connections. Once I restarted my apache server, I found that everything worked automatically and all my web traffic was now encrypted. So far so good. Letsencrypt for sendmail, dovecot, and apache on centos 6 mention sendmail permission problem - had to change perms on /etc/letsencrypt/blah certbot crontab entry
Please enable JavaScript to view the
comments powered by Disqus.
HollenbackDotNet
Home Page
Popular Pages
All Categories
Main Categories
General Interest
Geek Stuff
DevOps
Linux Stuff
Pictures
Search
Toolbox
RecentChanges
RecentNewPages
What links here
Printable version
AllPages
RecentChanges
Recent Changes Cached
No changes found
Favorite Categories
ActionPage
(150)
WikiPlugin
(149)
GeekStuff
(137)
PhpWikiAdministration
(102)
Help/PageList
(75)
Help/MagicPhpWikiURLs
(75)
Blog
(69)
Pictures
(60)
GeneralInterest
(44)
LinuxStuff
(38)
Views
View Page
View Source
History
Diff
Sign In