Certificate: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 79: | Line 79: | ||
certbot renew --cert-name $certdom | certbot renew --cert-name $certdom | ||
systemctl reload httpd | systemctl reload httpd | ||
mailcert | mailcert $certdom | ||
fi | fi | ||
done | done |
Revision as of 10:44, 20 March 2024
Security Certificate
To configure a SSL certificate for TLS and/or SSL over SMTP:
- Abstract: Create Certificate
- Generate key
- Generate signing request
- Sign the key
- Create server certificate
- Set permission
- Set owner
- Copy into place
- Restart services
- Self-Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
- # cat x.crt x.key > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Let's Encrypt (Assumes working web server)
- # yum install python-certbot-apache
- # certbot -apache -d mydomain.com -d mail.mydomain.com
- Add to Apache Virtual
- SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
- SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
- Add to Dovecot
- ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
- ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
- Add to Qmail
- # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
- # cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
- Springdale, Rocky, Alma Linux 9 may need the private key last
- # cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
- Cron auto renew (script below)
- 0 0 * * * /opt/certbot/certbot renew
- Application: Godaddy Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
- # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Restart Qmail and Dovecot
- # qmailctl stop && sleep 2 && qmailctl start
- # systemctl restart dovecot
- # systemctl restart httpd
mailcert () { cat /etc/letsencrypt/live/$1/privkey.pem /etc/letsencrypt/live/$1/fullchain.pem > ./servercert.pem cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak cp ./servercert.pem /var/qmail/control/servercert.pem systemctl reload dovecot qmailctl stop && sleep 2 && qmailctl start } LOG=/usr/command/certs/certs.log days=3 today=`date` today=`date --date="$today" --utc +%s` certdir=/etc/letsencrypt/live certfile=fullchain.pem for certdom in `ls $certdir` do [ "$certdom" = "README" ] && continue exp=`openssl x509 -dates -noout < $certdir/$certdom/$certfile | grep notAfter | sed 's/notAfter=//'` off=`date --date="$exp" --utc +%s` diff=$(( (off - today)/86400 )) echo "Certificate Domain: $certdom, Days to expire: $diff" echo "" if [ $diff -le $days ] then certbot renew --cert-name $certdom systemctl reload httpd mailcert $certdom fi done exit 0