Web Certificate
Table of Contents
- Let's Encrypt - Certificate Authority (CA)
- Certbot - Certificate Robot
- Apache - Web Server for Nextcloud
- Dovecot - Server for E-Mail Clients
- Matrix - Messaging Server
- Verify Certificate
- Continue
Web certificates encrypt different messages over the public internet so nobody can see what these messages contain.
Let's Encrypt - Certificate Authority (CA)
Let's Encrypt offers free 90 day SSL/TLS internet certificates, so you can run https:// to encrypt web page bodies, instead of http:// plain text over the internet. Certbot is used to obtain and renew certificates from the Let's Encrypt CA.
Reference: https://letsencrypt.org/
Certbot - Certificate Robot
This is a systemd service and software that will watch for expired certificates and notify you via E-Mail. Other pieces will let you perform a dry-run update of your certificate, and actually perform the certificate update and any configuration changes in your Apache or Nginx web server.
Reference: https://certbot.eff.org/
Install
sudo apt-get install certbot
Configure
Get a certificate and update the apache configuration.
Just follow the prompts, entering your host + domain name.
Instructions: https://certbot.eff.org/instructions
sudo certbot --apache
Schedule
The install creates a systemd timer to check for expiration and hopefully e-mail you a warning 30 days in advance of your 90 day certificate expiring.
$ sudo systemctl list-timers | grep certbot
Mon 2022-08-29 15:46:31 EDT 4h 16min left Mon 2022-08-29 06:38:15 EDT 4h 52min ago certbot.timer certbot.service
Renewal is done on web host
I wrapped the certbot updater into a script to remind me of the various steps and places the certificate is used. I do not open port 80 and block malicious hosts, so I disable those for a few minutes while the update occurs.
File: ~/linux/certbot.sh
#!/bin/bash
#---------------------------------------------
# Change port forwarding on router
#---------------------------------------------
#
echo "REMINDER: Open port 80 on ROUTER first!"
read ans
#
#---------------------------------------------
# Disable firewall
#---------------------------------------------
#
echo "Disabling firewall"
sudo ufw disable
#
#---------------------------------------------
# Automatic renewal
#---------------------------------------------
#
read -p "Dry-run [y]: " reply
reply=${reply:-y}
echo $reply
if [[ $reply == "y" ]]; then
sudo certbot renew --expand --dry-run
else
sudo certbot renew --expand
fi
#
#---------------------------------------------
# Check certbot service timer is running
#---------------------------------------------
#
sudo systemctl list-timers|grep certbot
##NEXT LEFT LAST PASSED UNIT
##Sat 2019-12-28 13:31:07 EST 7h left Sat 2019-12-28 01:26:25 EST 4h 37min ago certbot.timer
#
#---------------------------------------------
# Enable firewall
#---------------------------------------------
#
echo "Enabling firewall"
sudo ufw enable
#
#---------------------------------------------
# Copy to mail for it's devecot (e-mail) service
#---------------------------------------------
#
read -p "copy to mail [y]: " reply
reply=${reply:-y}
echo $reply
if [[ $reply == "y" ]]; then
./copy-cert-to-mail.sh
fi
#
#---------------------------------------------
# Change port forwarding on router
#---------------------------------------------
#
echo "REMINDER: Close port 80 on ROUTER now!"
read ans
#
#---------------------------------------------
# Restart matrix-synapse to pick up new certs
#---------------------------------------------
#
echo "NOTE: Restarting matrix-synapse service"
sudo systemctl restart matrix-synapse
#
Apache - Web Server for Nextcloud
Certbot will probably add the SSLCertificate[FIle|KeyFile] lines to the apache Virtual host entry.
Check that Strict-Transport-Security is set to force http to https conversions. The max-age[1], 31536000 seconds, is 365 days and will expire shared cache after that. Adjust if desired.
File: /etc/apache2/sites-enabled/nextcloud.conf
~
# Don - begin
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"
SSLEngine on
# Don certbot
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
~
Dovecot - Server for E-Mail Clients
If you have E-Mail User Agent Dovecot installed this allows IMAPS, which is Internet Message Access Protocol Secure. Basically SSL for E-Mail to encrypt E-Mails over the network.
File: /etc/dovecot/conf.d/10-ssl.conf
~
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
# Don - begin
#ssl_cert = </etc/dovecot/private/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.key
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
# Don - end
~
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
~
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
Matrix - Messaging Server
If you have the Matrix messaging server installed, this allows secure communication to clients.
File: /etc/matrix-synapse/homeserver.yaml
grep letsencrypt /etc/matrix-synapse/homeserver.yaml
tls_certificate_path: "/etc/letsencrypt/live/example.com/fullchain.pem"
tls_private_key_path: "/etc/letsencrypt/live/example.com/privkey.pem"
Verify Certificate
This script is good to run before and after the certbot update to view the begin/end valid dates of your certificate. It ensures everything went well and the certs are in a valid location.
File: ~/linux/cert_expire.sh
#!/bin/bash
# ----------------------------------------------------------------------
#
# File: cert_expire.sh
#
# Purpose: See what the expiration date is for Let's Encrypt Certificate
#
#
# s_client : The s_client command implements a generic SSL/TLS client
# which connects to a remote host using SSL/TLS.
# -servername $DOM : Set the TLS SNI (Server Name Indication) extension
# in the ClientHello message to the given value.
# -connect $DOM:$PORT : This specifies the host ($DOM) and optional
# port ($PORT) to connect to.
# x509 : Run certificate display and signing utility.
# -noout : Prevents output of the encoded version of the certificate.
# -dates : Prints out the start and expiry dates of a TLS or SSL certificate.
#
# Don Cohoon - Jan 2023
# ----------------------------------------------------------------------
#
#
if [ $# -gt 0 ]; then
A=${1}
else
echo "1) E-Mail"
echo "2) File"
echo "3) Web"
echo "4) Local"
read A
fi
case ${A}
in
1)
echo "REMINDER: Restart dovecot to enable new certs"
echo "=> E-Mail Certificate: CTRL-C to exit"
openssl s_client -connect mail.example.com:25 -starttls smtp 2>/dev/null|openssl x509 -noout -dates
;;
2)
echo "=> File Certificate"
sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem
;;
3)
echo "REMINDER: Restart apache2 and nginx to enable new certs"
echo "=> www.example.com Certificate: CTRL-C to exit"
openssl s_client -servername example.com -connect www.example.com:443 2>/dev/null | openssl x509 -noout -dates
;;
4)
echo "REMINDER: Restart apache2 and nginx to enable new certs"
echo "=> Local Web Certificate: CTRL-C to exit"
openssl s_client -connect localhost:443 | openssl x509 -noout -dates
;;
esac
Continue
Now that you have set up a certificate for your new server, consider installing some Network Attached Storage.
Proceed in the order presented, some things are depending on prior setups.
Book Last Updated: 29-March-2024
Web Secure Socket Layer (SSL) Certificate - Linux in the House - https://linux-in-the-house.org