Skip to content

Instantly share code, notes, and snippets.

@gnanet

gnanet/wheezy-acmetool-easyscp.md

Created April 25, 2018 18:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gnanet/1c6921d2212dbfca9987ded30b3c764c to your computer and use it in GitHub Desktop.
Save gnanet/1c6921d2212dbfca9987ded30b3c764c to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt on debian wheezy and EasySCP
Raw
wheezy-acmetool-easyscp.md

How to install acmetool with wheezy and EasySCP

https://github.com/hlandau/acme/releases Got some ideas from here (Credit goes to Teranus ) http://www.easyscp.net/forum/index.php/Thread/1265-Certificates-via-acmetool-on-EasySCP/

How to do it

Follow instructions, but dont simply copy them:

# Download a **non_cgo** tar.gz into /usr/local/
$ cd /usr/local
$ wget https://github.com/hlandau/acme/releases/download/v0.0.67/acmetool-v0.0.67-linux_amd64.tar.gz

# extract the archive
$ tar xzf acmetool-v0.0.67-linux_amd64.tar.gz

# copy the binary to its place
$ cp -ar ./acmetool-v0.0.67-linux_amd64/bin/acmetool /usr/local/sbin/

# create the man folder and copy the manual to its place
$ mkdir -p /usr/local/share/man/man8
$ cp -ar ./acmetool-v0.0.67-linux_amd64/doc/acmetool.8 /usr/local/share/man/man8

# do the quickstart
$ acmetool quickstart
# Choose WEBROOT

# Declare and create /var/www/easyscp/gui/tools/.well-known/acme-challenge
$ mkdir -p /var/www/easyscp/gui/tools/.well-known/acme-challenge
$ chown vu2000:vu2000 /var/www/easyscp/gui/tools/.well-known -R

# prepare apache for provide the verification folder for all domains
$ echo 'Alias /.well-known /var/www/easyscp/gui/tools/.well-known' > /etc/apache2/conf.d/acme.conf
$ apache2ctl graceful

# prepare combined PEM file creation
$ echo 'HAPROXY_ALWAYS_GENERATE=yes' > /etc/default/acme-reload

# create the first certificate
$ acmetool want ${YOUR FIRST DOMAIN}

Configuring Web Service

In case you need SSL vhosts with apache2

create /etc/apache2/conf.d/hard-ssl.conf

SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLHonorCipherOrder on

Edit /etc/apache2/ports.conf, and add NameVirtualHost *:443 within the IfModule blocks:

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

Copy your complete VirtualHost block, place it into an <IfModule mod_ssl.c> block change the port from :80 to :443

<IfModule mod_ssl.c>
<VirtualHost *:443>
...
</VirtualHost>
</IfModule>

add the following lines inside the Virtualhost block

    SSLEngine on
    SSLCertificateFile /var/lib/acme/live/${YOUR FIRST DOMAIN}/cert
    SSLCertificateKeyFile /var/lib/acme/live/${YOUR FIRST DOMAIN}/privkey
    SSLCertificateChainFile /var/lib/acme/live/${YOUR FIRST DOMAIN}/chain

After everything is configured, it is time to enable the SSL module of apache, test the config, and restart apache

a2enmod ssl
apache2ctl configtest
service apache2 restart

Configuring Mail services

Dovecot

Configuration in /etc/dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </var/lib/acme/live/${YOUR FIRST DOMAIN}/fullchain
ssl_key = </var/lib/acme/live/${YOUR FIRST DOMAIN}/privkey
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

after configuration

# restart dovecot
$ /etc/init.d/dovecot restart

Postfix

in main.cf change the cert and key

smtpd_tls_cert_file=/var/lib/acme/live/${YOUR FIRST DOMAIN}/fullchain
smtpd_tls_key_file=/var/lib/acme/live/${YOUR FIRST DOMAIN}/privkey

in master.cf change submission, and uncomment/create smtps like below:

submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

after configuration

# restart postfix
$ /etc/init.d/postfix restart

prepare for renew

You should also declare the services above, for reload if auto renew happens:

$ echo 'SERVICES="apache2 dovecot postfix"' >> /etc/default/acme-reload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment