LetsEncrypt
Contents
Certbot
Installation
For Apache2:
1 aptitude install ssl-cert certbot python-certbot-apache
For Nginx:
1 aptitude install ssl-cert certbot python-certbot-nginx
Configuration
- Prepare DNS records first! This may be an A or CNAME record.
Retrieve certificate for apache2 and postfix
1 certbot certonly --apache \
2 --rsa-key-size 4096 \
3 -m hostmaster@rockstable.it \
4 -d mx1.rockstable.it \
5 -d mail.rockstable.it \
6 --no-eff-email \
7 --agree-tos
8 Saving debug log to /var/log/letsencrypt/letsencrypt.log
9 Plugins selected: Authenticator apache, Installer apache
10 Obtaining a new certificate
11 Performing the following challenges:
12 http-01 challenge for mail.rockstable.it
13 http-01 challenge for mx1.rockstable.it
14 Waiting for verification...
15 Cleaning up challenges
16
17 IMPORTANT NOTES:
18 - Congratulations! Your certificate and chain have been saved at:
19 /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
20 Your key file has been saved at:
21 /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
22 Your cert will expire on 2019-09-06. To obtain a new or tweaked
23 version of this certificate in the future, simply run certbot
24 again. To non-interactively renew *all* of your certificates, run
25 "certbot renew"
26 - If you like Certbot, please consider supporting our work by:
27
28 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
29 Donating to EFF: https://eff.org/donate-le
Retrieve certificate for nginx
1 certbot certonly --nginx \
2 --rsa-key-size 4096 \
3 -m hostmaster@rockstable.it \
4 -d git.rockstable.it \
5 -d www3.rockstable.it \
6 --no-eff-email \
7 --agree-tos
8 Saving debug log to /var/log/letsencrypt/letsencrypt.log
9 Plugins selected: Authenticator nginx, Installer nginx
10 Obtaining a new certificate
11 Performing the following challenges:
12 http-01 challenge for git.rockstable.it
13 http-01 challenge for www3.rockstable.it
14 Waiting for verification...
15 Cleaning up challenges
16
17 IMPORTANT NOTES:
18 - Congratulations! Your certificate and chain have been saved at:
19 /etc/letsencrypt/live/git.rockstable.it/fullchain.pem
20 Your key file has been saved at:
21 /etc/letsencrypt/live/git.rockstable.it/privkey.pem
22 Your cert will expire on 2019-10-02. To obtain a new or tweaked
23 version of this certificate in the future, simply run certbot
24 again. To non-interactively renew *all* of your certificates, run
25 "certbot renew"
26 - Your account credentials have been saved in your Certbot
27 configuration directory at /etc/letsencrypt. You should make a
28 secure backup of this folder now. This configuration directory will
29 also contain certificates and private keys obtained by Certbot so
30 making regular backups of this folder is ideal.
31 - If you like Certbot, please consider supporting our work by:
32
33 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
34 Donating to EFF: https://eff.org/donate-le
Some considerations concerning access
Change group of directories /etc/letsencrypt/{live,archive} to ssl-cert.
- Set "Setgid" bit and permit access to group.
Files in /etc/letsencrypt/$DOMAIN are only linked relatively to files in ../../archive/$DOMAIN. SO it's sufficient to change permissions of /etc/letsencrypt/archive/$DOMAIN/*.
- Change group of private keys in {{{/etc/letsencrypt/archive to "ssl-cert" and permit read-access to group.
Add all daemons that don't have a "primary/master" process running under uid "0" to group ssl-cert to allow access to certificates.
1 adduser daemon-user ssl-cert
- For example it's unnecessary to add www-data, postfix and dovecot, since they have a "master" process running under "root" and "root" can do anything.
1 ps faux \
2 | egrep -A 3 'root.*(/usr/sbin/apache2|/usr/lib/postfix/sbin/master \
3 |/usr/sbin/dovecot)' \
4 | grep -v grep
5 root 453 0.0 0.0 4308 3200 ? Ss Jun06 0:00 /usr/sbin/dovecot -F
6 dovecot 802 0.0 0.0 3952 1096 ? S Jun06 0:00 \_ dovecot/anvil
7 root 13273 0.0 0.0 4328 3176 ? S Jun07 0:00 \_ dovecot/log
8 root 13275 0.0 0.1 6188 4500 ? S Jun07 0:00 \_ dovecot/config
9 --
10 root 508 0.0 0.2 15264 9980 ? Ss Jun06 0:06 /usr/sbin/apache2 -k start
11 www-data 22005 0.0 0.1 15044 4556 ? S 11:52 0:00 \_ /usr/sbin/apache2 -k start
12 www-data 22006 0.0 0.4 2310216 17016 ? Sl 11:52 0:00 \_ /usr/sbin/apache2 -k start
13 www-data 22007 0.0 0.4 2310284 18996 ? Sl 11:52 0:00 \_ /usr/sbin/apache2 -k start
14 --
15 root 15775 0.0 0.1 43472 4372 ? Ss Jun07 0:00 /usr/lib/postfix/sbin/master -w
16 postfix 15777 0.0 0.2 43880 8636 ? S Jun07 0:00 \_ qmgr -l -t unix -u
17 postfix 15815 0.0 0.2 44116 9756 ? S Jun07 0:00 \_ tlsmgr -l -t unix -u -c
18 postfix 21276 0.0 0.1 43828 7424 ? S 11:38 0:00 \_ pickup -l -t unix -u -c
Now change paths to certificates and keys of applications to point to the newly acquired.
1 postfix/main.cf:smtpd_tls_cert_file = /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
2 postfix/main.cf:smtpd_tls_key_file = /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
3 dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
4 dovecot/conf.d/10-ssl.conf:ssl_key = </etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
5 apache2/sites-available/roundcube_ssl.conf: SSLCertificateFile /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
6 apache2/sites-available/roundcube_ssl.conf: SSLCertificateKeyFile /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
Restart 'em -> DONE.
Systemd certbot.timer is waiting - ready for renewal -> FINE.
1 systemctl status certbot.timer
2 ● certbot.timer - Run certbot twice daily
3 Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
4 Active: active (waiting) since Thu 2019-06-06 20:59:23 CEST; 1 day 15h ago
5 Trigger: Sat 2019-06-08 22:29:31 CEST; 9h left
6
7 Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
DNS Certification Authority Authorization (CAA) Resource Record
Set CAA-Record in DNS
1 @ CAA 128 issue "letsencrypt.org"