Certificate: Difference between revisions

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP:

1. Abstract: Create Certificate

   Generate key

   Generate signing request

   Sign the key

   Create server certificate

   Set permission

   Set owner

   Copy into place

   Restart services

   1. Self-Signed Certificate

      # openssl genrsa -out x.key 2048

      # openssl req -new -key x.key -out x.csr

      # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt

      # cat x.crt x.key > servercert.pem

      # chmod 644 servercert.pem

      # chown root:qmail servercert.pem

      # cp -p servercert.pem /var/qmail/control

   2. Let's Encrypt (Assumes working web server)

      # yum install python-certbot-apache

      # certbot -apache -d mydomain.com -d mail.mydomain.com

      Add to Apache Virtual

      SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem

      SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

      SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem

      Add to Dovecot

      ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem

      ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

      Add to Qmail

      # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak

      # cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem

      Springdale, Rocky, Alma Linux 9 may need the private key last

      # cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem

      Cron auto renew (script below)

      0 0 * * * /opt/certbot/certbot renew

   3. Application: Godaddy Signed Certificate

      # openssl genrsa -out x.key 2048

      # openssl req -new -key x.key -out x.csr

      Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)

      # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem

      # chmod 644 servercert.pem

      # chown root:qmail servercert.pem

      # cp -p servercert.pem /var/qmail/control

2. Restart Qmail and Dovecot

   # qmailctl stop && sleep 2 && qmailctl start

   # systemctl restart dovecot

   # systemctl restart httpd

mailcert () {
   cat /etc/letsencrypt/live/$1/privkey.pem /etc/letsencrypt/live/$1/fullchain.pem > ./servercert.pem
   cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
   cp ./servercert.pem  /var/qmail/control/servercert.pem
   systemctl reload dovecot
   qmailctl stop && sleep 2 && qmailctl start
}

LOG=/usr/command/certs/certs.log
days=3

today=`date`
today=`date --date="$today" --utc +%s`
certdir=/etc/letsencrypt/live
certfile=fullchain.pem

for certdom in `ls $certdir`
do
   [ "$certdom" = "README" ] && continue
   exp=`openssl x509 -dates -noout < $certdir/$certdom/$certfile | grep notAfter | sed 's/notAfter=//'`
   off=`date --date="$exp" --utc +%s`
   diff=$(( (off - today)/86400 ))
   echo "Certificate Domain: $certdom, Days to expire: $diff"
   echo ""
   if [ $diff -le $days ]
   then
      certbot renew --cert-name $certdom
      systemctl reload httpd
      mailcert &certdom
   fi
done

exit 0