close

Server 加 TLS 用 https://letsencrypt.org/

主機上沒有 443 但有 80 要加POSTFIX 的 TLS

用是用 certbot-auto 程式(用 apache 方式) 紀錄一下 :  (例如你的 domain 叫 test.com)

先停原有的 apache 做完後再啟動 (原有的 apache 是 1.3.X 版的 ....)

/usr/local/apache/bin/apachectl stop

再來執行取 TLS :

cd /usr/local/sbin/
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto
certbot-auto --apache -d test.com

做完再啟動原有的 apache 

/usr/local/apache/bin/apachectl start

修改 /etc/httpd 內的 apache 的 80 改成 9999 ( /etc/httpd/conf.d/le-redirect-test.com.conf

<VirtualHost _default_:9999>
ServerName test.com

ServerSignature Off

RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]

ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
</VirtualHost>

啟動 OS 的 httpd ...

/etc/init.d/httpd start
chkconfig on

設定 crontab 每週一早上 2:30 檢查 TLS 是否可更新 , 有就更新 , 再重啟  postfix ......  

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/httpd reload;/etc/init.d/postfix reload

可以檢查是否可自動更新 TLS (PS: 要記得開 iptables 的 443 port 不開會失敗)

 /usr/local/sbin/certbot-auto renew
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/test.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/test.com/fullchain.pem (skipped)
No renewals were attempted.

查看TLS 檔案 

/etc/pki/tls/cert.pem
/etc/pki/tls/dhparams.pem
/etc/letsencrypt/live/test.com/privkey.pem
/etc/letsencrypt/live/test.com/fullchain.pem

然後在 postfix 加 TLS (smtp_tls_security_level = may 這樣變成有沒有TLS 的client 都可寄信)

 smtpd_tls_dh1024_param_file = /etc/pki/tls/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/test.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/test.com/fullchain.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/test.com/fullchain.pem
smtp_tls_security_level = may

PS : postfix 要設為帳號認證可寄信

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client cbl.abuseat.org,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org
arrow
arrow
    全站熱搜
    創作者介紹
    創作者 echochio 的頭像
    echochio

    echochio

    echochio 發表在 痞客邦 留言(0) 人氣()