SSL certificate generation
| Server setup | |
| ← Previous | Next → |
| DNS | MDA (Dovecot) |
Install the Let's Encrypt client
Let's Encrypt offer free SSL certificates for use in HTTPS and similar services (such as IMAP and SMTP over TLS).
The first thing to do is install the Let's Encrypt client on the server.
Get certificates from Lets Encrypt
This is a bit of chicken-and-egg. First, you need to create the non-HTTPS virtual sites for all the domains you want to serve. You can then use the Apache plugin to the LetsEncrypt client to fetch and install the certificates. Then, you can go back and fix the various certificate settings in the virtual host conf files.
If you have any existing web server running, turn it off for the first creation of certificates.
Get the certificates from:
root@server:# certbot --apache -d domain.tld -d www.domain.tld root@server:# certbot --apache -d other.domain.tld -d www.other.domain.tld -d other1.domain.tld -d www.other1.domain.tld root@server:# certbot --apache -d webmail.domain.tld -d mail.domain.tld -d imap.domain.tld
Each command will create a single certificate, with aliases to cover all the domains specified in each command. That will create certificates in /etc/letsencrypt/live/domain.tld and so on, one directory for each certificate obtained.
Note that I've also got a certificate for my mail servers, used for IMAP and SMTP over TLS.
If you use the --apache option in the command, it will automatically include the certificate use settings in the website config files. If you do that, note that every domain listed in all the requests must be explicitly listed as a ServerName or ServerAlias in an Apache conf file, and that no Apache conf file can contain more than one VirtualHost section on port 443.
Certificates will expire in about 90 days, but Certbot will automatically renew them before that. You can test renewal with this command:
root@ogedei:~# certbot renew --dry-run
and check the SystemD timer with
root@ogedei:~# systemctl list-timers
Extend the domains of a certificate
If you want to add additional domains to an existing certificate, you need the --cert-name option and list all the domains for the certificate:
root@server:~# certbot certonly --cert-name domain.tld -d domain.tld,www.domain.tld,other.domain.tld root@server:~# systemctl reload apache2.service
Domains not listed in the certbot --cert-name command will be removed from the certificate.
Note that you need to include the original domain.tld certificate name in the certificate expansion command. Luckily, certbot asks you to confirm changes before you make them.
Check the contents of a certificate
If you want to see what certificates you have, use `certbot`:
root@server:~# certbot certificates
If you want to check the contents of a certificate, use this command:
root@server:~# openssl x509 -in /etc/letsencrypt/live/domain.tld/cert.pem -text
Areas of interest are likely to be the Validity section, which contains the date range for the certificate being valid, and the X509v3 Subject Alternative Name section, which lists the domains for which this certificate is valid.
See also
Read the old instructions for Self-signed SSL certificate generation.