SSL/TLS対応を行うため、certbotをインストールしてLet’s EncryptからSSL/TLS証明書を発行してもらう。

# apt-get update
# apt-get install software-properties-common
# add-apt-repository universe
# apt-get update
# apt-get install certbot python3-certbot-apache

証明書のみの発行を行う。

# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): moon-forest.com
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for moon-forest.com
Input the webroot for moon-forest.com: (Enter 'c' to cancel): /var/www/wordpress
Waiting for verification...
Cleaning up challenges

apache2のサイトのコンフィグレーションを以下のように変更。

        ServerAdmin webmaster@localhost

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =moon-forest.com [OR]
        RewriteCond %{SERVER_NAME} =craft.moon-forest.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/wordpress

        ServerName moon-forest.com
        ServerAlias craft.moon-forest.com
        
                Options +FollowSymlinks
                AllowOverride All
                Require all granted  

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/moon-forest.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/moon-forest.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/moon-forest.com/chain.pem

postfixはsmtpsが有効になっていなかったのでmaster.cfに以下の行をアンコメント、修正。

smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

main.cfに以下の行を追加。

smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/allmysites/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/allmysites/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
#
tls_random_source = dev:/dev/urandom
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache

dovecotは10-masterを修正してPOP3SとIMAPSの有効化を行う。

service imap-login {
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

10-sslを修正し、証明書とキーの設定を行う。

ssl_cert = </etc/letsencrypt/live/moon-forest.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/moon-forest.com/privkey.pem

/etc/letsencrypt/renewal-hooks/deployの下に証明書更新後の処理を行うスクリプトを適当な名前で作成しておく。

#!/bin/sh
service apache2 reload
service dovecot reload
service postfix reload

証明書の更新がちゃんとかかることを以下のコマンドでドライランを行って、うまく更新できるようであれば–dry-runを外してcronに設定する。

# certbot --dry-run renew --webroot-path=/var/www