Certificate: Difference between revisions
Jump to navigation
Jump to search
Line 46: | Line 46: | ||
#!/bin/bash | #!/bin/bash | ||
# certbot: script to renew certificates | # certbot: script to renew certificates | ||
LOG=/usr/command/certs/certs.log | LOG=/usr/command/certs/certs.log | ||
days=3 | days=3 | ||
today=`date` | today=`date` | ||
today=`date --date="$today" --utc +%s` | today=`date --date="$today" --utc +%s` | ||
CD=/etc/letsencrypt/live | CD=/etc/letsencrypt/live | ||
FC=fullchain.pem | FC=fullchain.pem | ||
PK=privkey.pem | PK=privkey.pem | ||
mailcert () { | mailcert () { | ||
cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | ||
cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | ||
Line 64: | Line 64: | ||
systemctl reload dovecot | systemctl reload dovecot | ||
qmailctl stop && sleep 2 && qmailctl start | qmailctl stop && sleep 2 && qmailctl start | ||
} | } | ||
for CDOM in `ls $CD` | for CDOM in `ls $CD` | ||
do | do | ||
[ "$CDOM" = "README" ] && continue | [ "$CDOM" = "README" ] && continue | ||
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | ||
Line 80: | Line 80: | ||
mailcert $CDOM | mailcert $CDOM | ||
fi | fi | ||
done | done | ||
exit 0 | exit 0 | ||
== Mail server settings == | == Mail server settings == |
Revision as of 08:11, 18 October 2024
Security Certificate
Self-Signed
# cd /tmp # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ # cat cert.pem key.pem > servercert.pem # cp servercert.pem /var/qmail/control/servercert.pem # remove *.pem
Let's Encrypt
(assumes a functioning Apache web server for domain.tld)
# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld --rsa-key-size 2048 --key-type rsa
A 2048 bit key should have been created, if not, force it with RSA options (in red) above.
Check the size of the private key with the following command
# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem -text | grep Key
Move key & certificate in place
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak # cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem > servercert.pem # cp ./servercert.pem /var/qmail/control/servercert.pem
GoDaddy
# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)
Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem # cp servercert.pem /var/qmail/control
Implementation
Restart Services
# qmailctl stop && sleep 2 && qmailctl start # systemctl reload dovecot httpd
Renew (Let's Encrypt) *with script
# crontab -e 0 0 * * * /opt/certbot/certbot renew
#!/bin/bash # certbot: script to renew certificates
LOG=/usr/command/certs/certs.log days=3
today=`date` today=`date --date="$today" --utc +%s` CD=/etc/letsencrypt/live FC=fullchain.pem PK=privkey.pem
mailcert () { cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak cp servercert.pem /var/qmail/control/servercert.pem systemctl reload dovecot qmailctl stop && sleep 2 && qmailctl start }
for CDOM in `ls $CD`
do
[ "$CDOM" = "README" ] && continue
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
off=`date --date="$exp" --utc +%s`
diff=$(( (off - today)/86400 ))
echo "Certificate Domain: $CDOM, Days to expire: $diff"
echo ""
if [ $diff -le $days ]
then
certbot renew --cert-name $CDOM --apache --rsa-key-size 2048 --key-type rsa
systemctl reload httpd
mailcert $CDOM
fi
done
exit 0
Mail server settings
Dovecot
ssl_cert = </var/qmail/control/servercert.pem ssl_key = </var/qmail/control/servercert.pem
Submission
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export FORCETLS="1" export SMTPAUTH="!" exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ $SMTPD $VCHKPW /bin/true 2>&1
SMTPS
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export SMTPS="1" export FORCETLS="0" export SMTPAUTH="!+cram" exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ $SMTPD $VCHKPW /bin/true 2>&1