既に、ウェブサーバーで取得しているサーバー証明書に追加して、メールサーバーの証明書を取得した時の覚書。
環境
- Ubuntu 20.04.3 LTS
- Linux orionis1811 5.4.0-67-generic
- Postfix 2.6
- Dovecot 2.3.7.2
現在取得している証明書の確認
certbot certificates
で確認できる。
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.mydomain.com
Domains: www.mydomain.com
Expiry Date: 2021-12-12 13:10:25+00:00 (VALID: 58 days)
Certificate Path: /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mydomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
メールサーバーの証明書を取得する(失敗)
certbot certonly --standalone -d mail.mydomain.com
で作成を試みる。
$ sudo certbot certonly --standalone -d mail.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.mydomain.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Problem binding to port 80: Could not bind to IPv4 or IPv6
と表示されて、失敗する。
メールサーバーの証明書を取得する(成功)
一旦、ウェブサーバーを停止した上で、再度コマンドを試みてみる。
sudo systemctl stop apache2.service
$ sudo certbot certonly --standalone -d mail.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.mydomain.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.mydomain.com/privkey.pem
Your cert will expire on 2022-01-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
となり、成功する。
証明書は、/etc/letsencrypt/live/mail.mydomain.com/
に作成される。
/etc/letsencrypt/live/mail.mydomain.com# ls -al
total 12
drwxr-xr-x 2 root root 4096 Oct 15 11:42 .
drwx------ 4 root root 4096 Oct 15 11:42 ..
lrwxrwxrwx 1 root root 47 Oct 15 11:42 cert.pem -> ../../archive/mail.mydomain.com/cert1.pem
lrwxrwxrwx 1 root root 48 Oct 15 11:42 chain.pem -> ../../archive/mail.mydomain.com/chain1.pem
lrwxrwxrwx 1 root root 52 Oct 15 11:42 fullchain.pem -> ../../archive/mail.mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 50 Oct 15 11:42 privkey.pem -> ../../archive/mail.mydomain.com/privkey1.pem
-rw-r--r-- 1 root root 692 Oct 15 11:42 README
もちろん、ウェブサーバーは起動しなおしておく。
$ sudo systemctl start apache2.service
Postfix の設定
/etc/postfix/main.cf
の 証明書周りの設定を以下のように変更する。
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
dovecot の設定
/etc/dovecot/conf.d/10-ssl.conf
の証明書周りの設定を以下のように変更する。
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
Postfix、Dovecot の再起動
最後に、Postfix、Dovecot を再起動する。
$ sudo systemctl restart postfix
$ sudo systemctl restart dovecot
0件のコメント