LetsEncryptSetup
Note: You are viewing an old revision of this page. View the current version.
Let's Encrypt!
Let's Encryptl is a free certificate authority that was launched earlier this year. What that means is you no longer have to choose between self-signed certificates or buying certificates to secure your web site and other services. Now, you can use their tools to create certificates and automate renewals. Using these certificates also means an end to annoying 'untrusted site' popups for your users.
My Setup
I have a CentOS 6 box running apache for a webmail interface. This machine also uses sendmail to send and receive mail for the domain, and supports encrypted imap via dovecot. My goal was to use the same certificate named mail.example.com to encrypt all three.
Get Started
First, I followed the guide to download and install certbot, the Let's Encrypt client. Highlights:
# mkdir /root/bin # cd /root/bin # wget https://dl.eff.org/certbot-auto # chmod a+x certbot-auto # /root/bin/certbot-auto --apache --email letsencrypt@example.com --agreetos --domain mail.example.com certonly
Note that I used the certonly option to only generate the certificates, not install them in apache. I initially let certbot automatically configure my apache, but it got all confused about my virtual host setup. It still worked, but ultimately it seemed simpler to do the config file editing myself.
The other options bypass the questions in the automated installer. The address you give the --email should be a valid address which can receive mail. The --domain argument specifies the domain you are creating the certificate for. This confused me at first, because I thought I was supposed to use the actual dns domain (example.com). What you actually need to put here is the name your webserver presents to the outside world, in this case mail.example.com. This name will be used to generate your SSL certificates and any service using it will have to use the same name. Wildcard certificates are not supported. In my case this wasn't a problem because apache, sendmail, and dovecot all run on the same box as mail.example.com. Obviously if your services run under different dns names then you will need to call certbot with multiple domain arguments to generate certs for each one.
certbot will validate that your webserver actually is authoritative for your domain, and then it will issue you a certificate. Once that process is done, your new certificate is in /etc/letsencrypt/live/mail.example.com.
Setting up Apache
I have one virtual host in apache, and it's serving the Squirrelmail webmail client. I of course want to encrypt all traffic to and from this webserver because potentially sensitive information is involved (user mail). To make that happen, I configured my VirtualHost entries in /etc/httpd/conf/http.conf as follows:
<VirtualHost *:443> ServerName mail.example.com ServerAdmin webmaster@example.com DocumentRoot /usr/share/squirrelmail ErrorLog /var/log/httpd/mail.example.com-mail-error_log CustomLog /var/log/httpd/mail.example.com-mail-combined_log combined SSLEngine on SSLCertificateChainFile /etc/letsencrypt/live/mail.example.com/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.com/privkey.pem SSLCertificateFile /etc/letsencrypt/live/mail.example.com/cert.pem </VirtualHost> <VirtualHost *:80> ServerName mail.example.com RedirectMatch permanent ^/(.*) https://mail.example.com/$1 </VirtualHost>
The virtual host on port 80 redirects all traffic to port 443 to force https. The server on port 443 uses my Lets Encrypt certificates to ssl-encrypt all connections.
Once I restarted my apache server, I found that everything worked automatically and all my web traffic was now encrypted. So far so good.
Letsencrypt for sendmail, dovecot, and apache on centos 6
mention sendmail permission problem - had to change perms on /etc/letsencrypt/blah
certbot crontab entry
