SSL certificate generation

From Smith family
Jump to: navigation, search
Server setup
← Previous Next →
NTP MDA (Dovecot)

Install the Let's Encrypt client

Let's Encrypt offer free SSL certificates for use in HTTPS and similar services (such as IMAP and SMTP over TLS).

The first thing to do is install the Let's Encrypt client on the server.

Get certificates from Lets Encrypt

This is a bit of chicken-and-egg. First, you need to create the non-HTTPS virtual sites for all the domains you want to serve. You can then use the Apache plugin to the LetsEncrypt client to fetch and install the certificates. Then, you can go back and fix the various certificate settings in the virtual host conf files.

If you have any existing web server running, turn it off for the first creation of certificates.

Get the certificates from:

root@server:# certbot --apache -d domain.tld -d www.domain.tld
root@server:# certbot --apache -d other.domain.tld -d www.other.domain.tld -d other1.domain.tld -d www.other1.domain.tld 
root@server:# certbot --apache -d webmail.domain.tld -d mail.domain.tld -d imap.domain.tld

Each command will create a single certificate, with aliases to cover all the domains specified in each command. That will create certificates in /etc/letsencrypt/live/domain.tld and so on, one directory for each certificate obtained.

Note that I've also got a certificate for my mail servers, used for IMAP and SMTP over TLS.

If you use the --apache option in the command, it will automatically include the certificate use settings in the website config files. If you do that, note that every domain listed in all the requests must be explicitly listed as a ServerName or ServerAlias in an Apache conf file, and that no Apache conf file can contain more than one VirtualHost section on port 443.

Extend the domains of a certificate

If you want to add additional domains to an existing certificate, you need the --cert-name option and list all the domains for the certificate:

root@server:~# certbot certonly --cert-name domain.tld -d domain.tld,www.domain.tld,other.domain.tld
root@server:~# systemctl reload apache2.service

Domains not listed in the certbot --cert-name command will be removed from the certificate.

Note that you need to include the original domain.tld certificate name in the certificate expansion command. Luckily, certbot asks you to confirm changes before you make them.

Check the contents of a certificate

If you want to see what certificates you have, use `certbot`:

root@server:~# certbot certificates

If you want to check the contents of a certificate, use this command:

root@server:~# openssl x509 -in /etc/letsencrypt/live/domain.tld/cert.pem -text

Areas of interest are likely to be the Validity section, which contains the date range for the certificate being valid, and the X509v3 Subject Alternative Name section, which lists the domains for which this certificate is valid.

Automatically update certificates

Create the file /etc/cron.daily/letsencrypt-renew:

#!/bin/sh

/usr/bin/certbot renew

systemctl reload apache2.service
systemctl reload dovecot.service
systemctl reload postfix.service

Make it executable:

root@server:# chmod +x /etc/cron.daily/letsencrypt-renew

See also

Read the old instructions for Self-signed SSL certificate generation.