Certificate: Difference between revisions
Jump to navigation
Jump to search
No edit summary Tag: Reverted |
Tag: Undo |
||
Line 49: | Line 49: | ||
0 0 * * * /opt/certbot/certbot renew | 0 0 * * * /opt/certbot/certbot renew | ||
<u>'''Security Certificate'''</u> | |||
# Abstract: Create Certificate | |||
#: Generate key | |||
#: Generate signing request | |||
#: Sign the key | |||
#: Create server certificate | |||
#: Set permission | |||
#: Set owner | |||
#: Copy into place | |||
#: Restart services | |||
#: Implementation | |||
## Self-Signed Certificate | |||
##: <nowiki>#</nowiki> openssl genrsa -out x.key 2048 | |||
##: <nowiki>#</nowiki> openssl req -new -key x.key -out x.csr | |||
##: <nowiki>#</nowiki> openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt | |||
##: <nowiki>#</nowiki> cat x.crt x.key > servercert.pem | |||
##: <nowiki>#</nowiki> chmod 644 servercert.pem | |||
##: <nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem | |||
##: <nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control | |||
## Let's Encrypt (Assumes working web server) | |||
##: <nowiki>#</nowiki> dnf -y install certbot python3-certbot-apache | |||
##: <nowiki>#</nowiki> certbot -apache -d mydomain.com -d mail.mydomain.com | |||
##; Apache | |||
##: SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem | |||
##: SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem | |||
##: SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem | |||
##; Dovecot | |||
##: ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem | |||
##: ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem | |||
##; Qmail | |||
##: <nowiki>#</nowiki> cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | |||
##: <nowiki>#</nowiki> cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > ./servercert.pem | |||
##: <nowiki>#</nowiki> cp ./servercert.pem /var/qmail/control/servercert.pem | |||
##; Cron auto renew (script below) | |||
##: 0 0 * * * /opt/certbot/certbot renew | |||
## Application: Godaddy Signed Certificate | |||
##:<nowiki>#</nowiki> openssl genrsa -out x.key 2048 | |||
##:<nowiki>#</nowiki> openssl req -new -key x.key -out x.csr | |||
##; Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle) | |||
##:<nowiki>#</nowiki> cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem | |||
##:<nowiki>#</nowiki> chmod 644 servercert.pem | |||
##:<nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem | |||
##:<nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control | |||
# Restart Qmail and Dovecot | |||
#:<nowiki>#</nowiki> qmailctl stop && sleep 2 && qmailctl start | |||
#:<nowiki>#</nowiki> systemctl restart dovecot | |||
#:<nowiki>#</nowiki> systemctl restart httpd | |||
<pre> | |||
#!/bin/bash | |||
LOG=/usr/command/certs/certs.log | |||
days=3 | |||
today=`date` | |||
today=`date --date="$today" --utc +%s` | |||
CD=/etc/letsencrypt/live | |||
FC=fullchain.pem | |||
PK=privkey.pem | |||
mailcert () { | |||
cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | ||
cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | ||
Line 66: | Line 116: | ||
systemctl reload dovecot | systemctl reload dovecot | ||
qmailctl stop && sleep 2 && qmailctl start | qmailctl stop && sleep 2 && qmailctl start | ||
} | |||
for CDOM in `ls $CD` | |||
do | |||
[ "$CDOM" = "README" ] && continue | [ "$CDOM" = "README" ] && continue | ||
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | ||
Line 82: | Line 132: | ||
mailcert $CDOM | mailcert $CDOM | ||
fi | fi | ||
done | |||
exit 0 | |||
</pre> | </pre> |
Revision as of 22:15, 17 October 2024
Security Certificate
Self-Signed
# cd /tmp # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ # cat cert.pem key.pem > servercert.pem # cp servercert.pem /var/qmail/control/servercert.pem # remove *.pem
Let's Encrypt
# dnf -y install certbot python3-certbot-apache # certbot --apache -d domain.tld -d mail.domain.tld
This should create a 2048 bit certificate, if not
# certbot --rsa-key-size 2048 --key-type rsa --apache -d domain.tld -d mail.domain.tld
Go Daddy
# openssl genrsa -out key.pem 2048 # openssl req -new -key key.pem -out csr.pem
Submit signing request (csr.pem) to Godaddy; Later download signed key (crt and crt bundle)
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem # chmod 644 servercert.pem # chown root:qmail servercert.pem # cp -p servercert.pem /var/qmail/control
Implementation
Dovecot
ssl_cert = </var/qmail/control/servercert.pem ssl_key = </var/qmail/control/servercert.pem
Apache
SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
Qmail
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak # cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > servercert.pem # cp ./servercert.pem /var/qmail/control/servercert.pem
Renew (Let's Encrypt) *script below
# crontab -e 0 0 * * * /opt/certbot/certbot renew
Security Certificate
- Abstract: Create Certificate
- Generate key
- Generate signing request
- Sign the key
- Create server certificate
- Set permission
- Set owner
- Copy into place
- Restart services
- Implementation
- Self-Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
- # cat x.crt x.key > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Let's Encrypt (Assumes working web server)
- # dnf -y install certbot python3-certbot-apache
- # certbot -apache -d mydomain.com -d mail.mydomain.com
- Apache
- SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
- SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
- Dovecot
- ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
- ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
- Qmail
- # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
- # cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > ./servercert.pem
- # cp ./servercert.pem /var/qmail/control/servercert.pem
- Cron auto renew (script below)
- 0 0 * * * /opt/certbot/certbot renew
- Application: Godaddy Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
- # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Restart Qmail and Dovecot
- # qmailctl stop && sleep 2 && qmailctl start
- # systemctl restart dovecot
- # systemctl restart httpd
#!/bin/bash LOG=/usr/command/certs/certs.log days=3 today=`date` today=`date --date="$today" --utc +%s` CD=/etc/letsencrypt/live FC=fullchain.pem PK=privkey.pem mailcert () { cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak cp ./servercert.pem /var/qmail/control/servercert.pem systemctl reload dovecot qmailctl stop && sleep 2 && qmailctl start } for CDOM in `ls $CD` do [ "$CDOM" = "README" ] && continue exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` off=`date --date="$exp" --utc +%s` diff=$(( (off - today)/86400 )) echo "Certificate Domain: $CDOM, Days to expire: $diff" echo "" if [ $diff -le $days ] then certbot renew --cert-name $CDOM systemctl reload httpd mailcert $CDOM fi done exit 0
Implementation (qmail run scripts)
Submission
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export FORCETLS="1" export SMTPAUTH="!" exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ $SMTPD $VCHKPW /bin/true 2>&1
SMTPS
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export SMTPS="1" export FORCETLS="0" export SMTPAUTH="!+cram" exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ $SMTPD $VCHKPW /bin/true 2>&1