{"id":125,"date":"2019-06-02T15:44:21","date_gmt":"2019-06-02T14:44:21","guid":{"rendered":"https:\/\/blog.inplico.uk\/?p=125"},"modified":"2023-06-15T21:57:57","modified_gmt":"2023-06-15T20:57:57","slug":"ssl-certificates","status":"publish","type":"post","link":"https:\/\/blog.inplico.uk\/?p=125","title":{"rendered":"SSL Certificates"},"content":{"rendered":"

Since this page was originally written certbot has improved significantly to the point where you should be able to use it straight out of the box.\u00a0 Information below the warning has been left here to help troubleshoot if you run into difficulties rather than anything but if you install certbot with the apt then you should not have any problems.<\/span><\/p>\n

Multiple sites served by the same certificate<\/strong><\/p>\n

If you want to have multiple sites served by the same certificate (usually for “mydomain.com” and “www.mydomain.com” for example then you can expand the certificate by running the following command:<\/p>\n

certbot --expand -d mydomain.com,www.mydomain.com<\/pre>\n
You can add as many sub domains as you like, just separate each with a comma (,).<\/p>\n
To check the certificate afterwards just run:<\/p>\n
certbot certificates<\/pre>\n
and check the results.<\/p>\n
NOTE:<\/strong>\u00a0 You will almost certainly need to have a parent and www sub domain if you use the domain for both email and a website.<\/em><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
WARNING:<\/span>\u00a0 INFORMATION NOW OUTDATED AND ONLY RETAINED FOR HISTORICAL PURPOSES<\/strong><\/p>\n
For many purposes a self signed certificate is absolutely fine, but there are occasions where you need a valid certificate from a certificate authority.\u00a0 Valid certificates can be quite expensive, especially if they are validating multiple domains, however there is a free certification service that offers certificates that last 90 days.\u00a0 Now obviously you do not want to have to manually recertify every 90 days so it if you are going to use the certificates then it is a good idea to automate the renewal task.\u00a0 Thankfully for this purpose we have \u201ccertbot<\/strong>\u201d which will set up a cron job to renew the certificates before they expire.<\/p>\n
 <\/p>\n
Install<\/strong><\/p>\n
If you are on debian stretch<\/strong> then you can install certbot in the normal way, however if you are on Jessie then you will need to enable backports by adding this line:<\/p>\n
deb http:\/\/ftp.debian.org\/debian jessie-backports main<\/pre>\n
to your \/etc\/apt\/list<\/strong> You can also find a list of other mirrors at https:\/\/www.debian.org\/mirror\/list<\/a><\/p>\n
You can now install certbot by running<\/p>\n
#apt-get install certbot -t jessie-backports<\/pre>\n
This will also install a load of python stuff if it is not already installed.<\/p>\n
 <\/p>\n
Apache <\/strong><\/p>\n
Certbot will run in a standalone mode, but if you have apache (as we do) you will need to amend some of the configuration files in order that certbot gets certificats for the right domains.\u00a0 Next you need to install the certbot apache plugin (note you don\u2019t need backports here regardless of os version).<\/p>\n
#apt-get install python-certbot-apache<\/pre>\n
The next thing to do is to see what happens when you try to run certbot<\/p>\n
#certbot --authenticator webroot --installer apache --staging<\/pre>\n
Certbot needs strictly written configuration files so correct any errors before going any further. If all is well you should see<\/p>\n
Which names would you like to activate HTTPS for?<\/pre>\n
followed by a list of sites. Do not go any further for now (Press <CTRL>+c)<\/p>\n
 <\/p>\n
Mail server certificates<\/strong><\/p>\n
You will need to add those domains that are only used for your mail server to your default apache configuration file as ServerName or ServerAlias directives (ServerName for the top level and ServerAlias for any others)<\/p>\n
<VirtualHost *:80>\r\nServerName example.com\r\nServerAlias www.example.com\r\nServerAlias mail.example.com\r\nServerAdmin webmaster@localhost\r\nDocumentRoot \/var\/www\/html\r\n\u2026\u2026\r\n<\/VirtualHost><\/pre>\n
If all is correct when you run<\/p>\n
#service apache2 reload\r\n#certbot --authenticator webroot --installer apache --staging<\/pre>\n
You should see the all the aliases that you have added in the list (again, do not go any further).<\/p>\n
The way certbot works is that it creates a small file in the web root directory which it uses for validation. Once it has validated the domain then it deletes the file.<\/p>\n
Certbot is reliant on port 80 for and plain old http for this validation because it may have to validate a site without there being an initial https setup.<\/p>\n
In our particular setup, if you have set up apache then you will already have secure sites using self signed certificats (A step that I would recommend in all circumstances as it is a good fallback option should letsencrypt cease providing free certificates)<\/p>\n
Now if we have any https based virtual hosts we need to amend the configuration files so that when certbot performs its validation routine it will complete the task successfully.<\/p>\n
If you will look in a configuration file you will see something like<\/p>\n
<VirtualHost *:80>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ServerName webmail.example.com\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Redirect \"\/\" https:\/\/webmail.example.com\/\r\n<\/VirtualHost><\/pre>\n
This redirects all traffic to our https virtual host however this is no good for certbot for reasons outlined above, so we need to add an exception.\u00a0 The easiest and arguably best way to do this is to enable the rewrite engine (# a2enmod rewrite<\/strong>), and replace the configuration above with something similar to the following:<\/p>\n
<VirtualHost *:80>\r\n    ServerName webmail.example.com\r\n    Redirect \"\/\" https:\/\/webmail.example.com\/\r\n    Documen193.237.11.183<\/span>tRoot \/var\/lib\/roundcube\/\r\n    CustomLog ${APACHE_LOG_DIR}\/access.log common\r\n    ErrorLog ${APACHE_LOG_DIR}\/error.log\r\n    RewriteEngine on\r\n    RewriteRule ^\/.well-known\/ - [L]\r\n    RewriteCond %{SERVER_NAME} =webmail.example.com\r\n    RewriteRule ^ https:\/\/%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]\r\n<\/VirtualHost><\/pre>\n
This is an example for a roundcube web portal. Note that it is important to set the DocumentRoot and ServerName correctly.<\/p>\n
The magic happens here:<\/p>\n
RewriteRule ^\/.well-known\/ - [L]<\/pre>\n
as this is the path where certbot puts the file that it uses for verification i.e. webmail.example.com.well-known\u2026\u2026<\/p>\n
You are advised to look at some of the live configuration files as they all have subtle differences.\u00a0 Once you have everything configured you can reload apache<\/strong> and then go ahead and generate your certificates:<\/p>\n
#certbot --authenticator webroot --installer apache<\/pre>\n
Follow the instructions on screen, and make sure you get the webroots correct or you will generate errors.<\/p>\n
NOTE:\u00a0 If you are not confident of your configuration then use the –staging flag first.<\/p>\n
 <\/p>\n
Setting the certificates for postfix<\/strong><\/p>\n
First of all you need to know the path of the certificate for your mailserver so just run<\/p>\n
#certbot certificats<\/pre>\n
which should produce something like<\/p>\n
Found the following certs:\r\nCertificate Name: epsilon.inplico.uk\r\nDomains: example.com mail.example.com webmail.someotherdomain.org.uk\r\nExpiry Date: 2018-10-26 17:31:41+00:00 (VALID: 89 days)\r\nCertificate Path: \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\r\nPrivate Key Path: \/etc\/letsencrypt\/live\/example.com\/privkey.pem\r\n----------------------------------------------------------------------<\/pre>\n
You can now amend your \/etc\/main.cf file to point at the new certifcates and restart postfix. Note that I like to comment out the original certificate paths rather than delete so that it is an easy reference should it be necessary to use the fallback option.<\/p>\n
NOTE Don\u2019t forget that you will need to reconfigure msmtp (see bacula) to use the new certificate as this is not an automated process.<\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Since this page was originally written certbot has improved significantly to the point where you should be able to use it straight out of the box.\u00a0 Information below the warning has been left here to help troubleshoot if you run into difficulties rather than anything but if you install certbot with the apt then you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-debian-server"],"_links":{"self":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=125"}],"version-history":[{"count":7,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions"}],"predecessor-version":[{"id":403,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions\/403"}],"wp:attachment":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}