Ubuntu Server 20.04 : Apache、Mail、FTPサーバーSSL化(Let's Encrypt)
Contents
- 1. 証明書を取得する (Let's Encrypt)
- 1.1 事前準備
- 2. Apache2にSSL/TLS(Let's Encrypt) の設定
- 3. メールサーバーにSSL/TLS(Let's Encrypt) の設定
- 3.1 バーチャルホスト設定と証明書取得
- 3.2 Postfix の設定
- 3.3 Dovecot の設定
- 4. FTP Vsftpd にSSL/TLS(Let's Encrypt) の設定
①mod_sslを有効にする
# a2enmod ssl 1 # a2enmod ssl②Let's Encrypt証明書を取得するためのクライアントツールをインストール
# apt -y install certbot 1 # apt -y install certbot③Let's Encrypt証明書の取得 Apache httpd や Nginx などの Webサーバーが稼働していることが前提となります。 作業を実施するサーバーで Webサーバーが稼働していない場合は ④の手順を実行。 また、インターネット側から、作業を実施するサーバー (証明書を取得したい FQDN のサーバー) の 80 ポート宛てにアクセス可能であることも前提です。
# certbot certonly --webroot -w /var/www/html/<FQDN> -d <FQDN> 1 # certbot certonly --webroot -w /var/www/html/<FQDN> -d <FQDN># [--webroot] 指定で稼働中 Web サーバーの公開ディレクトリ配下を認証用の一時領域に使用 # -w [ドキュメントルート] -d [証明書を取得したいFQDN] # FQDN (Fully Qualified Domain Name) : ホスト名.ドメイン名を省略なしで表記 # ドキュメントルートはバーチャルホストで複数のホスト定義がある場合、該当するホスト定義のものを指定 # ドキュメントルート指定の動作としては, 指定したドキュメントルート配下に # [.well-known] ディレクトリが作成され, 認証用のファイルが自動的,一時的に設置されるのみ # 初回のみメールアドレスの登録と利用条件への同意が必要 # 受信可能なメールアドレスを指定
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): <mail address> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for <FQDN> Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Key is saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem This certificate expires on 2022-09-22. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12345678910111213141516171819202122232425262728293031323334 Saving debug log to /var/log/letsencrypt/letsencrypt.logEnter email address (used for urgent renewal and security notices)(Enter 'c' to cancel): <mail address> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server. Do you agree?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing, once your first certificate is successfully issued, toshare your email address with the Electronic Frontier Foundation, a foundingpartner of the Let's Encrypt project and the non-profit organization thatdevelops Certbot? We'd like to send you email about our work encrypting the web,EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: yAccount registered.Requesting a certificate for <FQDN> Successfully received certificate.Certificate is saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pemKey is saved at: /etc/letsencrypt/live/<FQDN>/privkey.pemThis certificate expires on 2022-09-22.These files will be updated when the certificate renews.Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -If you like Certbot, please consider supporting our work by:* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate* Donating to EFF: https://eff.org/donate-le- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -「Successfully received certificate.」と表示されれば成功 # メッセージ中に記載の通り [/etc/letsencrypt/live/<FQDN>/] 配下に次の証明書が取得されている
# cert.pem ⇒ SSLサーバー証明書(公開鍵含む) # chain.pem ⇒ 中間証明書 # fullchain.pem ⇒ cert.pem と chain.pem が結合されたファイル # privkey.pem ⇒ 公開鍵に対する秘密鍵
④Webサーバーが稼働していない場合のLet's Encrypt証明書の取得 インターネット側から当作業を実施するサーバーの 80 ポート宛てにアクセス可能であることは前提となります
# [--standalone] 指定で 簡易 Webサーバー機能を使用 # -d [証明書を取得したいFQDN] # FQDN (Fully Qualified Domain Name) : ホスト名.ドメイン名を省略なしで表記 # 証明書を取得したいFQDNが複数ある場合は、-d [証明書を取得したいFQDN] を複数指定
# certbot certonly --standalone -d <FQDN> 1 # certbot certonly --standalone -d <FQDN>Enter email address (used for urgent notices and lost key recovery) <mail address> < OK > <Cancel> # 利用条件に同意する Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory <Agree > <Cancel> IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem Your cert will expire on 2019-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donat 1234567891011121314151617181920212223242526272829303132 Enter email address (used for urgent notices and lost key recovery) <mail address> < OK > <Cancel> # 利用条件に同意するPlease read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.You must agree in order to register with the ACME server athttps://acme-v01.api.letsencrypt.org/directory <Agree > <Cancel> IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/<FQDN>/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/<FQDN>/privkey.pemYour cert will expire on 2019-10-23. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew *all* of your certificates, run"certbot renew"- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donat
⑤取得済みの証明書を更新する
# 有効期限が 30日未満の証明書を全て更新 # 有効期限の残り日数に関わらず更新したい場合は [--force-renewal] を合わせて指定
# certbot [--force-renewal] renew 1 # certbot [--force-renewal] renew2. Apache2にSSL/TLS(Let's Encrypt) の設定
①Apache2のSSL関連設定ファイルの編集
# cd /etc/apache2/sites-available/ # cp default-ssl.conf hoge.com-ssl.conf 12 # cd /etc/apache2/sites-available/# cp default-ssl.conf hoge.com-ssl.conf# vi hoge.com-ssl.conf # 3行目:管理者アドレス変更 ServerAdmin hoge@hoge.com # 5行目:変更 DocumentRoot /var/www/html/hoge.com # 13,14行目:変更 ErrorLog ${APACHE_LOG_DIR}/hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/hoge.com.access.log combined # 32,33行目:[1]で取得した証明書に変更 SSLCertificateFile /etc/letsencrypt/live/hoge.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/hoge.com/privkey.pem # 42行目:コメント解除して[1]で取得したチェインファイルに変更 SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem 1234567891011121314 # vi hoge.com-ssl.conf # 3行目:管理者アドレス変更ServerAdmin hoge@hoge.com# 5行目:変更DocumentRoot /var/www/html/hoge.com# 13,14行目:変更ErrorLog ${APACHE_LOG_DIR}/hoge.com.error.logCustomLog ${APACHE_LOG_DIR}/hoge.com.access.log combined# 32,33行目:[1]で取得した証明書に変更SSLCertificateFile /etc/letsencrypt/live/hoge.com/cert.pemSSLCertificateKeyFile /etc/letsencrypt/live/hoge.com/privkey.pem# 42行目:コメント解除して[1]で取得したチェインファイルに変更SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem
②設定ファイルの反映と有効化
# a2ensite hoge.com-ssl.conf Enabling site hoge.com-ssl.conf. To activate the new configuration, you need to run: systemctl reload apache2 1234 # a2ensite hoge.com-ssl.confEnabling site hoge.com-ssl.conf.To activate the new configuration, you need to run:systemctl reload apache2# systemctl restart apache2 1 # systemctl restart apache2
# a2dissite default-ssl.conf デフォルト無効化 1 # a2dissite default-ssl.conf デフォルト無効化
# systemctl restart apache2 1 # systemctl restart apache2
# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 1234567891011 # a2enmod sslConsidering dependency setenvif for ssl:Module setenvif already enabledConsidering dependency mime for ssl:Module mime already enabledConsidering dependency socache_shmcb for ssl:Enabling module socache_shmcb.Enabling module ssl.See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.To activate the new configuration, you need to run:systemctl restart apache2
③httpからhttpsリダイレクト
1..htaccessファイル を作成する方法 .htaccessを/var/www/html/hoge.com/に作成して以下記入
RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 123 RewriteEngine onRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
2./vhost-hoge.com.conf に記入の方法
# vi /etc/apache2/sites-available/vhost-hoge.com.conf RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 1234 # vi /etc/apache2/sites-available/vhost-hoge.com.confRewriteEngine onRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]④設定反映と起動
# a2ensite vhost-hoge.com.conf 1 # a2ensite vhost-hoge.com.conf# a2enmod ssl 1 # a2enmod ssl
Apache再起動
# systemctl restart apache2 1 # systemctl restart apache23. メールサーバーにSSL/TLS(Let's Encrypt) の設定 3.1 バーチャルホスト設定と証明書取得
①Apacheのバーチャルホストにメールホストを設定
# cd /etc/apache2/sites-available/ # vi vhost-hoge.com.conf 12 # cd /etc/apache2/sites-available/# vi vhost-hoge.com.confwebサービス用のバーチャルホスト設定の下に次のメール用バーチャルホストの設定を追記
<VirtualHost *:80> ~省略~ ServerName mail.hoge.com ServerAdmin hoge@hoge.com DocumentRoot /var/www/html/mail.hoge.com ~省略~ ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined ~省略 </VirtualHost> 12345678910111213141516171819 <VirtualHost *:80> ~省略~ ServerName mail.hoge.com ServerAdmin hoge@hoge.com DocumentRoot /var/www/html/mail.hoge.com ~省略~ ErrorLog ${APACHE_LOG_DIR}/mail.hoge.com.error.log CustomLog ${APACHE_LOG_DIR}/mail.hoge.com.access.log combined ~省略 </VirtualHost>②/var/www/html/にmail.hoge.comディレクトリー作成
③メールサーバー用のletsencrypt SSL証明書の取得
# certbot certonly --webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com 1 # certbot certonly --webroot -w /var/www/html/mail.hoge.com -d mail.hoge.com3.2 Postfix の設定
④Postfixの設定ファイルを修正 暗号化通信ができるよう SSL/TLS の設定をします。 SMTPS は 465/TCP, POP3S は 995/TCP, IMAPS は 993/TCP を使用します。
# vi /etc/postfix/main.cf # 最終行に追記 smtpd_use_tls = yes smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.hoge.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.hoge.com/privkey.pem smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache # 暗号に関する情報を "Received:" メッセージヘッダに含める smtpd_tls_received_header = yes 1234567891011 # vi /etc/postfix/main.cf # 最終行に追記smtpd_use_tls = yessmtp_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_cert_file = /etc/letsencrypt/live/mail.hoge.com/fullchain.pemsmtpd_tls_key_file = /etc/letsencrypt/live/mail.hoge.com/privkey.pemsmtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache# 暗号に関する情報を "Received:" メッセージヘッダに含めるsmtpd_tls_received_header = yes# vi /etc/postfix/master.cf submission inet n – y – – smtpd ←以下、コメントを外します。(SSL,STARTTLSどちらにも対応) -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n – y – – smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n – y – – qmqpd 123456789101112131415161718192021222324252627 # vi /etc/postfix/master.cf submission inet n – y – – smtpd ←以下、コメントを外します。(SSL,STARTTLSどちらにも対応)-o syslog_name=postfix/submission-o smtpd_tls_security_level=encrypt-o smtpd_sasl_auth_enable=yes# -o smtpd_tls_auth_only=yes# -o smtpd_reject_unlisted_recipient=no-o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=-o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING smtps inet n – y – – smtpd-o syslog_name=postfix/smtps-o smtpd_tls_wrappermode=yes-o smtpd_sasl_auth_enable=yes# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions-o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=-o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING#628 inet n – y – – qmqpd
設定に誤りがないかチェック(なにも表示されなければOKです)
# postfix check 1 # postfix check⑤Postfixの起動、自動起動の設定
# systemctl start postfix # systemctl enable postfix 12 # systemctl start postfix# systemctl enable postfix3.3 Dovecot の設定
①Dovecotの設定ファイルを修正
# vi /etc/dovecot/conf.d/10-ssl.conf # 6行目:変更 ssl = yes # 12,13行目:コメント解除して証明書/鍵ファイル指定 ssl_cert = </etc/letsencrypt/live/mail.hoge.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.hoge.com/privkey.pem 1234567 # vi /etc/dovecot/conf.d/10-ssl.conf # 6行目:変更ssl = yes# 12,13行目:コメント解除して証明書/鍵ファイル指定ssl_cert = </etc/letsencrypt/live/mail.hoge.com/fullchain.pemssl_key = </etc/letsencrypt/live/mail.hoge.com/privkey.pem・暗号化を使う imaps と pop3s を有効にして、平文で通信する imap と pop3 は「port = 0」を設定し無効にします。
# vi /etc/dovecot/conf.d/10-master.conf 1 # vi /etc/dovecot/conf.d/10-master.confservice imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { #port = 993 #ssl = yes port = 993 ssl = yes } }service pop3-login { inet_listener pop3 { #port = 110 port = 0 } inet_listener pop3s { #port = 995 #ssl = yes port = 995 ssl = yes } } ・Dovecot SASL ライブラリの認証ソケットファイルを指定(113行目あたりです)service auth { (略) # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} ↓ unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } 123456789101112131415161718192021222324252627282930313233343536 service imap-login {inet_listener imap {#port = 143port = 0}inet_listener imaps {#port = 993#ssl = yesport = 993ssl = yes}}service pop3-login {inet_listener pop3 {#port = 110port = 0}inet_listener pop3s {#port = 995#ssl = yesport = 995ssl = yes}}・Dovecot SASL ライブラリの認証ソケットファイルを指定(113行目あたりです)service auth { (略)# Postfix smtp-auth#unix_listener /var/spool/postfix/private/auth {# mode = 0666#} ↓unix_listener /var/spool/postfix/private/auth {mode = 0666user = postfixgroup = postfix}}
・認証方式の設定 ※平文パスワードを許可していますが、SSL/TLSで暗号化されますので問題ありません
# vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes → disable_plaintext_auth = no auth_mechanisms = plain → auth_mechanisms = plain login 1234 # vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes → disable_plaintext_auth = noauth_mechanisms = plain → auth_mechanisms = plain login・メールボックスの場所を指定
# vi /etc/dovecot/conf.d/10-mail.conf #mail_location = → mail_location = maildir:~/Maildir 123 # vi /etc/dovecot/conf.d/10-mail.conf #mail_location = → mail_location = maildir:~/Maildir・ログの出力先を変更
# vi /etc/dovecot/conf.d/10-logging.conf #log_path = syslog → log_path = /var/log/dovecot/dovecot.log 123 # vi /etc/dovecot/conf.d/10-logging.conf #log_path = syslog → log_path = /var/log/dovecot/dovecot.log・ログの出力先作成
# mkdir /var/log/dovecot 1 # mkdir /var/log/dovecot② Dovecotの起動、自動起動の設定
# systemctl start dovecot # systemctl enable dovecot 12 # systemctl start dovecot# systemctl enable dovecot③認証ソケットファイルが作成されているのを確認
# ls -F /var/spool/postfix/private/auth ---(下記表示があればOK)--- /var/spool/postfix/private/auth = 123 # ls -F /var/spool/postfix/private/auth---(下記表示があればOK)---/var/spool/postfix/private/auth =4. FTP Vsftpd にSSL/TLS(Let's Encrypt) の設定
① Vsftpdの設定ファイルを修正
# vi /etc/vsftpd.conf #次を最終行に追記 # add letsencrypt rsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pem ssl_enable=YESforce_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO #pasv port pasv_enable=YES pasv_min_port=21000 pasv_max_port=21010 再起動 # systemctl restart vsftpd 123456789101112131415161718 # vi /etc/vsftpd.conf #次を最終行に追記# add letsencryptrsa_cert_file=/etc/letsencrypt/live/hoge.com/fullchain.pemrsa_private_key_file=/etc/letsencrypt/live/hoge.com/privkey.pemssl_enable=YESforce_local_data_ssl=YESforce_local_logins_ssl=YESssl_tlsv1=YESssl_sslv2=NOssl_sslv3=NO#pasv portpasv_enable=YESpasv_min_port=21000pasv_max_port=21010 再起動# systemctl restart vsftpd② Firewallの設定
ftpポート以外に固定したPASVポートを許可します。 # ufw allow 21000:21010/tcp # ufw reload 12 # ufw allow 21000:21010/tcp# ufw reload ページのトップへ