Skip to content

Instantly share code, notes, and snippets.

@gnanet

gnanet/stretch-acmetool-nginx-postfix-dovecot.md

Last active November 1, 2018 00:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gnanet/39dc82eac6f557182ad222797568eb51 to your computer and use it in GitHub Desktop.
Save gnanet/39dc82eac6f557182ad222797568eb51 to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt on debian stretch with nginx and SMTP POP3 IMAP with acmetool
Raw
stretch-acmetool-nginx-postfix-dovecot.md

How to install acmetool with stretch

https://github.com/hlandau/acme/releases

How to do it

Follow instructions, but dont simply copy them:

# Download a **non_cgo** tar.gz into /usr/local/
$ cd /usr/local
$ wget https://github.com/hlandau/acme/releases/download/v0.0.67/acmetool-v0.0.67-linux_amd64.tar.gz

# extract the archive
$ tar xzf acmetool-v0.0.67-linux_amd64.tar.gz

# copy the binary to its place
$ cp -ar ./acmetool-v0.0.67-linux_amd64/bin/acmetool /usr/local/sbin/

# create the man folder and copy the manual to its place
$ mkdir -p /usr/local/share/man/man8
$ cp -ar ./acmetool-v0.0.67-linux_amd64/doc/acmetool.8 /usr/local/share/man/man8

# create /var/www/.well-known/acme-challenge
$ mkdir -p /var/www/.well-known/acme-challenge

# prepare nginx to provide the verification folder for all domains
$ printf "# /etc/nginx/snippets/acme.conf\n    location /.well-known/ {\n        alias /var/www/.well-known/;\n    }\n" > /etc/nginx/snippets/acme.conf
$ sed -i.acme-backup -e "s/\s*# pass PHP scripts to FastCGI server/        include snippets\/acme.conf;\n\n        # pass PHP scripts to FastCGI server/g" /etc/nginx/sites-available/default
$ /usr/sbin/nginx -t && /usr/sbin/nginx -s reload

# do the quickstart
$ acmetool quickstart

# Choose WEBROOT
# Declare and create /var/www/.well-known/acme-challenge

# prepare combined PEM file creation
$ echo 'HAPROXY_ALWAYS_GENERATE=yes' > /etc/default/acme-reload

# create the first certificate
$ acmetool want ${YOUR FIRST DOMAIN}

Configuring Web services

SSL vhosts with nginx

create /etc/nginx/snippets/hard-ssl.conf

$ touch /etc/nginx/snippets/hard-ssl.conf

ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;

I assume, you already have the server block for your virtual host, so copy the complete server block, change listen 80; to listen 443 ssl; in the copy, like below:

server {
    listen          443 ssl;
    server_name     ${YOUR FIRST DOMAIN};
    ...
    }

add the following lines inside the server block

    ssl on;
    include snippets/hard-ssl.conf;
    ssl_certificate /var/lib/acme/live/${YOUR FIRST DOMAIN}/fullchain;
    ssl_certificate_key /var/lib/acme/live/${YOUR FIRST DOMAIN}/privkey;
    # If your application is not compatible with IE <= 10, this will redirect visitors 
    # to a page advising a browser update
    # This works because IE 11 does not present itself as MSIE anymore
    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

After everything is configured, it is time to test the config, and restart nginx

nginx -t
service nginx restart

Configuring Mail services

Dovecot

Configuration in /etc/dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </var/lib/acme/live/${YOUR FIRST DOMAIN}/fullchain
ssl_key = </var/lib/acme/live/${YOUR FIRST DOMAIN}/privkey
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

after configuration

# restart dovecot    
$ /etc/init.d/dovecot restart

Postfix

in main.cf change the cert and key

smtpd_tls_cert_file=/var/lib/acme/live/${YOUR FIRST DOMAIN}/fullchain
smtpd_tls_key_file=/var/lib/acme/live/${YOUR FIRST DOMAIN}/privkey

in master.cf change submission, and uncomment/create smtps like below:

submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

after configuration

# restart postfix
$ /etc/init.d/postfix restart

Prepare for autorenew

You should also declare the services above, for reload if auto renew happens:

$ echo 'SERVICES="nginx dovecot postfix"' >> /etc/default/acme-reload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment