Certificate: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (38 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
<u>'''Security Certificate'''</u> | <u>'''Security Certificate'''</u> | ||
# Abstract: Create Certificate | # Abstract: Create Certificate | ||
# | #: Generate key | ||
# | #: Generate signing request | ||
# | #: Sign the key | ||
# | #: Create server certificate | ||
# | #: Set permission | ||
# | #: Set owner | ||
# | #: Copy into place | ||
# | #: Restart services | ||
#: Implementation | |||
## Self-Signed Certificate | ## Self-Signed Certificate | ||
## | ##: <nowiki>#</nowiki> openssl genrsa -out x.key 2048 | ||
## | ##: <nowiki>#</nowiki> openssl req -new -key x.key -out x.csr | ||
## | ##: <nowiki>#</nowiki> openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt | ||
## | ##: <nowiki>#</nowiki> cat x.crt x.key > servercert.pem | ||
## | ##: <nowiki>#</nowiki> chmod 644 servercert.pem | ||
## | ##: <nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem | ||
## | ##: <nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control | ||
## Let's Encrypt | ## Let's Encrypt (Assumes working web server) | ||
## | ##: <nowiki>#</nowiki> yum install python-certbot-apache | ||
## | ##: <nowiki>#</nowiki> certbot -apache -d mydomain.com -d mail.mydomain.com | ||
## | ##; Apache | ||
## | ##: SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem | ||
## | ##: SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem | ||
## | ##: SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem | ||
## | ##; Dovecot | ||
## | ##: ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem | ||
## | ##: ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem | ||
## | ##; Qmail | ||
## | ##: <nowiki>#</nowiki> cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | ||
## | ##: '''EL 7/8''' | ||
##: | ##: <nowiki>#</nowiki> cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem | ||
## | ##: '''EL 9''' | ||
## | ##: <nowiki>#</nowiki> cat /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem /etc/letsencrypt/live/mail.mydomain.com/privkey.pem > /var/qmail/control/servercert.pem | ||
##; Cron auto renew (script below) | |||
## | ##: 0 0 * * * /opt/certbot/certbot renew | ||
##; | ## Application: Godaddy Signed Certificate | ||
##:<nowiki>#</nowiki> openssl genrsa -out x.key 2048 | |||
##:<nowiki>#</nowiki> openssl req -new -key x.key -out x.csr | |||
##; Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle) | |||
##:<nowiki>#</nowiki> cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem | |||
##:<nowiki>#</nowiki> chmod 644 servercert.pem | |||
##:<nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem | |||
##:<nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control | |||
# Restart Qmail and Dovecot | |||
#:<nowiki>#</nowiki> qmailctl stop && sleep 2 && qmailctl start | |||
#:<nowiki>#</nowiki> systemctl restart dovecot | |||
#:<nowiki>#</nowiki> systemctl restart httpd | |||
<pre> | |||
#!/bin/bash | |||
LOG=/usr/command/certs/certs.log | |||
days=3 | |||
today=`date` | |||
today=`date --date="$today" --utc +%s` | |||
CD=/etc/letsencrypt/live | |||
FC=fullchain.pem | |||
PK=privkey.pem | |||
mailcert () { | |||
if [[ "`cat /etc/os-release | grep VERSION_ID | sed 's/VERSION_ID=//' | sed 's/"//g'`" == *"9"* ]] | |||
then | |||
cat $CD/$1/$FC $CD/$1/$PK > ./servercert.pem | |||
else | |||
cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | |||
fi | |||
cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | |||
cp ./servercert.pem /var/qmail/control/servercert.pem | |||
systemctl reload dovecot | |||
qmailctl stop && sleep 2 && qmailctl start | |||
} | |||
for CDOM in `ls $CD` | |||
do | |||
[ "$CDOM" = "README" ] && continue | |||
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | |||
off=`date --date="$exp" --utc +%s` | |||
diff=$(( (off - today)/86400 )) | |||
echo "Certificate Domain: $CDOM, Days to expire: $diff" | |||
echo "" | |||
if [ $diff -le $days ] | |||
then | |||
certbot renew --cert-name $CDOM | |||
systemctl reload httpd | |||
mailcert $CDOM | |||
fi | |||
done | |||
exit 0 | |||
</pre> | |||
=Implementation (qmail run scripts)= | |||
==Submission== | |||
<pre> | |||
#!/bin/sh | |||
QMAILDUID=`id -u vpopmail` | |||
NOFILESGID=`id -g vpopmail` | |||
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` | |||
SMTPD="/var/qmail/bin/qmail-smtpd" | |||
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" | |||
HOSTNAME=`hostname` | |||
VCHKPW="/home/vpopmail/bin/vchkpw" | |||
export FORCETLS="1" | |||
export SMTPAUTH="!" | |||
exec /usr/bin/softlimit -m 128000000 \ | |||
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ | |||
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ | |||
$SMTPD $VCHKPW /bin/true 2>&1 | |||
</pre> | |||
==SMTPS== | |||
<pre> | |||
#!/bin/sh | |||
QMAILDUID=`id -u vpopmail` | |||
NOFILESGID=`id -g vpopmail` | |||
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` | |||
SMTPD="/var/qmail/bin/qmail-smtpd" | |||
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" | |||
HOSTNAME=`hostname` | |||
VCHKPW="/home/vpopmail/bin/vchkpw" | |||
export SMTPS="1" | |||
export FORCETLS="0" | |||
export SMTPAUTH="!+cram" | |||
exec /usr/bin/softlimit -m 128000000 \ | |||
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ | |||
-u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ | |||
$SMTPD $VCHKPW /bin/true 2>&1 | |||
</pre> | |||
Latest revision as of 21:49, 25 March 2024
Security Certificate
- Abstract: Create Certificate
- Generate key
- Generate signing request
- Sign the key
- Create server certificate
- Set permission
- Set owner
- Copy into place
- Restart services
- Implementation
- Self-Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
- # cat x.crt x.key > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Let's Encrypt (Assumes working web server)
- # yum install python-certbot-apache
- # certbot -apache -d mydomain.com -d mail.mydomain.com
- Apache
- SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
- SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
- Dovecot
- ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
- ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
- Qmail
- # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
- EL 7/8
- # cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
- EL 9
- # cat /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem /etc/letsencrypt/live/mail.mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
- Cron auto renew (script below)
- 0 0 * * * /opt/certbot/certbot renew
- Application: Godaddy Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
- # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Restart Qmail and Dovecot
- # qmailctl stop && sleep 2 && qmailctl start
- # systemctl restart dovecot
- # systemctl restart httpd
#!/bin/bash
LOG=/usr/command/certs/certs.log
days=3
today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem
mailcert () {
if [[ "`cat /etc/os-release | grep VERSION_ID | sed 's/VERSION_ID=//' | sed 's/"//g'`" == *"9"* ]]
then
cat $CD/$1/$FC $CD/$1/$PK > ./servercert.pem
else
cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
fi
cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
cp ./servercert.pem /var/qmail/control/servercert.pem
systemctl reload dovecot
qmailctl stop && sleep 2 && qmailctl start
}
for CDOM in `ls $CD`
do
[ "$CDOM" = "README" ] && continue
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
off=`date --date="$exp" --utc +%s`
diff=$(( (off - today)/86400 ))
echo "Certificate Domain: $CDOM, Days to expire: $diff"
echo ""
if [ $diff -le $days ]
then
certbot renew --cert-name $CDOM
systemctl reload httpd
mailcert $CDOM
fi
done
exit 0
Implementation (qmail run scripts)
Submission
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"
exec /usr/bin/softlimit -m 128000000 \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
$SMTPD $VCHKPW /bin/true 2>&1
SMTPS
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"
exec /usr/bin/softlimit -m 128000000 \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
$SMTPD $VCHKPW /bin/true 2>&1