SSL/TLS対応
SSL/TLS対応を行うため、certbotをインストールしてLet’s EncryptからSSL/TLS証明書を発行してもらう。
# apt-get update # apt-get install software-properties-common # add-apt-repository universe # apt-get update # apt-get install certbot python3-certbot-apache
証明書のみの発行を行う。
# certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Apache Web Server plugin (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3 Plugins selected: Authenticator webroot, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): moon-forest.com Cert not due for renewal, but simulating renewal for dry run Renewing an existing certificate Performing the following challenges: http-01 challenge for moon-forest.com Input the webroot for moon-forest.com: (Enter 'c' to cancel): /var/www/wordpress Waiting for verification... Cleaning up challenges
apache2のサイトのコンフィグレーションを以下のように変更。
ServerAdmin webmaster@localhost ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =moon-forest.com [OR] RewriteCond %{SERVER_NAME} =craft.moon-forest.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] ServerAdmin webmaster@localhost DocumentRoot /var/www/wordpress ServerName moon-forest.com ServerAlias craft.moon-forest.com Options +FollowSymlinks AllowOverride All Require all granted ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/moon-forest.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/moon-forest.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/moon-forest.com/chain.pem
postfixはsmtpsが有効になっていなかったのでmaster.cfに以下の行をアンコメント、修正。
smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
main.cfに以下の行を追加。
smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/letsencrypt/live/allmysites/cert.pem smtpd_tls_key_file = /etc/letsencrypt/live/allmysites/privkey.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache # tls_random_source = dev:/dev/urandom smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
dovecotは10-masterを修正してPOP3SとIMAPSの有効化を行う。
service imap-login { inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } }
10-sslを修正し、証明書とキーの設定を行う。
ssl_cert = </etc/letsencrypt/live/moon-forest.com/fullchain.pem ssl_key = </etc/letsencrypt/live/moon-forest.com/privkey.pem
/etc/letsencrypt/renewal-hooks/deployの下に証明書更新後の処理を行うスクリプトを適当な名前で作成しておく。
#!/bin/sh service apache2 reload service dovecot reload service postfix reload
証明書の更新がちゃんとかかることを以下のコマンドでドライランを行って、うまく更新できるようであれば–dry-runを外してcronに設定する。
# certbot --dry-run renew --webroot-path=/var/www
コメントを残す