Guide on Renewing SSL Certificate for Apache, Postfix and Dovecot on CentOS 6.8 Linux

 Guide on Renewing SSL Certificate for Apache, Postfix and Dovecot on CentOS 6.8 Linux

=====================================================================================


Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)


Country: Singapore


Date: 12 November 2020 Thursday Singapore Time


Type of Publication: Plain Text


Document Version: 20201112.01


Generating Certificate Signing Request (CSR) Using OpenSSL command on Linux

===========================================================================


Reference Guide: Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku

Link: https://www.namecheap.com/support/knowledgebase/article.aspx/9446/14/generating-csr-on-apache--opensslmodsslnginx--heroku/#4


# cd /root


# which openssl


# openssl req -new -newkey rsa:2048 -nodes -keyout teo-en-ming-corp.key -out teo-en-ming-corp.csr


Generating a 2048 bit RSA private key

...............................................................................................................................................................................+++

........................................................................+++

writing new private key to 'teo-en-ming-corp.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:SG

State or Province Name (full name) []:Singapore

Locality Name (eg, city) [Default City]:Singapore

Organization Name (eg, company) [Default Company Ltd]:Teo En Ming Corporation

Organizational Unit Name (eg, section) []:IT Department

Common Name (eg, your name or your server's hostname) []:*.teo-en-ming-corp.com.sg (USE WILDCARD!!!)

Email Address []:ceo@teo-en-ming-corp.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


# mkdir teo-en-ming


# mv teo-en-ming-corp.csr teo-en-ming-corp.key teo-en-ming/


# cd teo-en-ming


[root@mail.teo-en-ming-corp.com.sg teo-en-ming]# ls -al

total 16

drwxr-xr-x   2 root root 4096 Nov 11 11:43 .

dr-xr-x---. 14 root root 4096 Nov 11 11:43 ..

-rw-r--r--   1 root root 1119 Nov 11 11:42 teo-en-ming-corp.csr

-rw-r--r--   1 root root 1708 Nov 11 11:42 teo-en-ming-corp.key


# cat teo-en-ming-corp.csr (Display Certificate Signing Request)


-----BEGIN CERTIFICATE REQUEST-----


-----END CERTIFICATE REQUEST-----


# cat teo-en-ming-corp.key (Display Private/Secret Key)


-----BEGIN PRIVATE KEY-----


-----END PRIVATE KEY-----


Result from AlphaSSL Portal

============================


Congratulations!

Your order has been placed successfully.

Your order number is : 

You'll need to copy the following Domain Verification Code and place it in a text file called "gsdv.txt" which you'll then need to put in one of the approved locations

Meta Tag : <meta name="_globalsign-domain-verification" content="" />


http://teo-en-ming-corp.com.sg/.well-known/pki-validation/gsdv.txt


https://teo-en-ming-corp.com.sg/.well-known/pki-validation/gsdv.txt


To complete the URL Verification, close the browser. Open the SSL Configuration Link in new browser and click on "Complete Url Verification".


End of Result from AlphaSSL Portal

==================================


Domain Verification for SSL Certificate

=======================================


# cd /home/teo-en-ming-corp/public_html


# mkdir .well-known


# cd .well-known


# mkdir pki-validation


# cd pki-validation/


Edit gsdv.txt.


# nano gsdv.txt


<meta name="_globalsign-domain-verification" content="" />


Begin Email from AlphaSSL

=========================


Email Subject: : Your SSL Certificate for *.teo-en-ming-corp.com.sg has been issued


-------------------------------------------------------------------------------

Please note that this email is automatically sent from a noreply mailbox.  

To contact AlphaSSL please use the Contact Details at the footer of this email.

-------------------------------------------------------------------------------



Dear Turritopsis Dohrnii Teo En Ming,      

                                                      

Your AlphaSSL Certificate has now been issued and is ready to be installed. Your SSL Certificate can be found at the bottom of this email.



CERTIFICATE DETAILS

--------------------------------------------------

Order Number: 

Common Name:  *.teo-en-ming-corp.com.sg



INSTALLING YOUR CERTIFICATE

----------------------------------------------------

Your SSL Certificate and Intermediate Certificate must be installed on your server.


Please note that as of March 31st 2014, SHA-256 will become the default hashing algorithm used unless SHA-1 was selected during the ordering process.


You can find guides on installing your certificate with the Support Center online at:  http://www.alphassl.com/support



QUICK INSTALLATION GUIDE

----------------------------------------------------

1) Using a text editor, copy the SSL Certificate text from the bottom of this email (including the -----BEGIN CERTIFICATE-----  and -----END CERTIFICATE----- lines) and save it to a file such as yourdomain.txt


2) Retrieve the Intermediate Certificate (selecting SHA-1 or SHA-256 as appropriate) from the Support Center at:

https://www.alphassl.com/support/install-root-certificate.html


3) Using a text editor, copy the Intermediate Certificate text (including the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and save it to a file such as intermediate_domain_ca.txt


4) Copy these .txt files to your server and then rename them with .crt extensions


5) Install the Intermediate and SSL Certificates


6) Restart your server


7) To test for installation errors please use our SSL Configuration Checker located at https://sslcheck.globalsign.com/en_US


8) Install your Site Seal with the instructions show at: http://www.alphassl.com/support/ssl-site-seal.html


9) We suggest you back-up your SSL Certificate and Private Key pair and keep it safe, all IIS users can use the Export Wizard


We hope that your application process was quick and easy and you have enjoyed the AlphaSSL experience.



Thank you for choosing AlphaSSL, if you have any questions or issues please do not hesitate to contact us.                                                                                                                                                           


CONTACT US

--------------------------------------------------

For Sales, Technical Support & Account Queries:

W: http://www.alphassl.com/support

E: support@alphassl.com

T: US Toll Free: 877 SSLALPHA (+1 877 775 2574) | Fax: 720 528 8160

T: EU: +44 1622 766 700 | Fax: +44 1622 662 255


---------------------------------------------------

LOW COST. TRUSTED BY ALL BROWSERS. SSL MADE EASY.

---------------------------------------------------



YOUR SSL CERTIFICATE

--------------------------------------------------

(Formatted for the majority of web server software including IIS and Apache based servers):


-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----


End of Email from AlphaSSL

===========================


# cd /root/teo-en-ming


# nano teo-en-ming-corp.crt (Saving the SSL Certificate/Public Key)


-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----


# nano intermediate_domain_ca.crt (Saving the intermediate CA certificate)


-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----


Installing SSL Certificate on Postfix SMTP Server

=================================================


Backup the Postfix configuration files first before you modify anything.


# cd /etc/postfix


# cp main.cf main.teoenming


# cp master.cf master.teoenming


Reference Guide: Installing and configuring SSL on Postfix/Dovecot mail server

Link: https://www.namecheap.com/support/knowledgebase/article.aspx/9795/69/installing-and-configuring-ssl-on-postfixdovecot-mail-server


Copy the public and private key over from /root/teo-en-ming to /etc/postfix.


# cd /root/teo-en-ming/


# cp * /etc/postfix


# cd /etc/postfix


Edit the Postfix configuration file.


# nano main.cf


smtpd_tls_cert_file = /etc/postfix/teo-en-ming-corp.crt

smtpd_tls_key_file = /etc/postfix/teo-en-ming-corp.key

smtpd_tls_CAfile = /etc/postfix/intermedia_domain_ca.crt


***Please note that the previous IT support company did not enable SSL/TLS for SMTP Server.***


Restart the Postfix SMTP Server.


# service postfix restart


Installing SSL Certificate on Dovecot IMAP and POP3 Incoming Mail Server

=========================================================================


Backup the auxiliary Dovecot configuration file first before you modify anything.


# cd /etc/dovecot/conf.d


# cp 10-ssl.conf 10-ssl.teoenming


Begin Redundant/Useless Section

===============================


Please do not follow the instructions in this section.


# cd /etc/pki/dovecot/certs


# cp /root/teo-en-ming/teo-en-ming-corp.crt .


# cd /etc/pki/dovecot/private/


# cp /root/teo-en-ming/teo-en-ming-corp.key .


# cd /etc/dovecot/conf.d


Edit 10-ssl.conf.


# nano 10-ssl.conf


ssl_cert = </etc/pki/dovecot/certs/teo-en-ming-corp.crt

ssl_key = </etc/pki/dovecot/private/teo-en-ming-corp.key


End of Redundant/Useless Section

================================


Backup the Main Dovecot configuration file before you modify anything.


# cd /etc/dovecot


# cp dovecot.conf dovecot.conf.teoenming


Modify the Main Dovecot Configuration file.


# nano dovecot.conf


local_name teo-en-ming-corp.com.sg {

ssl_cert = </home/teo-en-ming-corp/teo-en-ming-corp.crt

ssl_key = </home/teo-en-ming-corp/teo-en-ming-corp.key

  ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt

}

local_name www.teo-en-ming-corp.com.sg {

ssl_cert = </home/teo-en-ming-corp/teo-en-ming-corp.crt

ssl_key = </home/teo-en-ming-corp/teo-en-ming-corp.key

  ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt

}

local_name autoconfig.teo-en-ming-corp.com.sg {

ssl_cert = </home/teo-en-ming-corp/teo-en-ming-corp.crt

ssl_key = </home/teo-en-ming-corp/teo-en-ming-corp.key

  ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt

}

local_name autodiscover.teo-en-ming-corp.com.sg {

ssl_cert = </home/teo-en-ming-corp/teo-en-ming-corp.crt

ssl_key = </home/teo-en-ming-corp/teo-en-ming-corp.key

  ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt

}


Restart the Dovecot IMAP and POP3 Incoming Mail Server.


# service dovecot restart


Verify SSL Certificate of Email Server

======================================


Reference Guide: How to verify that SSL for IMAP/POP3/SMTP works and a proper SSL certificate is in use

Link: https://support.plesk.com/hc/en-us/articles/213961665-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-a-proper-SSL-certificate-is-in-use


[1] https://www.sslshopper.com/ssl-checker.html#hostname=smtp.gmail.com:465


[2] https://ssl-tools.net/mailservers


[3] IMAPS test: openssl s_client -showcerts -connect mail.teo-en-ming-corp.com.sg:993 -servername mail.teo-en-ming-corp.com.sg


CONNECTED(00000003)

depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

verify return:1

depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

verify return:1

depth=0 CN = *.teo-en-ming-corp.com.sg

verify return:1

---

Certificate chain

 0 s:/CN=*.teo-en-ming-corp.com.sg

   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.teo-en-ming-corp.com.sg

issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

---

No client certificate CA names sent

---

SSL handshake has read 2961 bytes and written 632 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-SHA256

    Session-ID: 

    Session-ID-ctx:

    Master-Key: 

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    


    Start Time: 1605161631

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.


[4] POP3S test: openssl s_client -showcerts -connect mail.teo-en-ming-corp.com.sg:995 -servername mail.teo-en-ming-corp.com.sg


CONNECTED(00000003)

depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

verify return:1

depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

verify return:1

depth=0 CN = *.teo-en-ming-corp.com.sg

verify return:1

---

Certificate chain

 0 s:/CN=*.teo-en-ming-corp.com.sg

   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

---

Server certificate

subject=/CN=*.teo-en-ming-corp.com.sg

issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

---

No client certificate CA names sent

---

SSL handshake has read 2961 bytes and written 632 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-SHA256

    Session-ID: 

    Session-ID-ctx:

    Master-Key: 

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    


    Start Time: 1605161905

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

+OK Dovecot ready.


[5] SMTPS Port 465 test: openssl s_client -showcerts -connect mail.teo-en-ming-corp.com.sg:465 -servername mail.teo-en-ming-corp.com.sg


socket: Connection timed out

connect:errno=110


[6] SMTPS Port 587 test: openssl s_client -starttls smtp -showcerts -connect mail.teo-en-ming-corp.com.sg:587 -servername mail.teo-en-ming-corp.com.sg


CONNECTED(00000003)

140575970621256:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 278 bytes and written 309 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---


Installing SSL Certificate on Apache Web Server

===============================================


Backup the auxiliary Apache web server configuration file before you modify anything.


# cd /etc/httpd/conf.d


# cp ssl.conf ssl.teoenming


Begin Redundant/Useless Section

===============================


Please do not follow the instructions in this section.


# /etc/pki/tls/certs


# cp /root/teo-en-ming/teo-en-ming-corp.crt .


# /etc/pki/tls/private


# cp /root/teo-en-ming/teo-en-ming-corp.key .


# cd /etc/httpd/conf.d


Edit ssl.conf.


# nano ssl.conf


SSLCertificateFile /etc/pki/tls/certs/teo-en-ming-corp.crt


SSLCertificateKeyFile /etc/pki/tls/private/teo-en-ming-corp.key


Verify all Apache web server configuration files are correct.


# httpd -t


Restart Apache web server.


# service httpd restart


End of Redundant/Useless Section

=================================


Copy the public and private key over.


# cd /home/teo-en-ming-corp


# cp /root/teo-en-ming/* .


Backup the Main Apache web server configuration file before you modify anything.


# cd /etc/httpd/conf


# cp httpd.conf httpd.teoenming


Edit the Main Apache web server configuration file.


# nano httpd.conf


SSLCertificateFile /home/teo-en-ming-corp/teo-en-ming-corp.crt

SSLCertificateKeyFile /home/teo-en-ming-corp/teo-en-ming-corp.key

SSLCACertificateFile /home/teo-en-ming-corp/intermediate_domain_ca.crt


Verify that your Apache web server configuration files are all correct.


# httpd -t


Restart Apache web server.


# service httpd restart


Configuring SSL Certificate inside Webmin

=========================================


Login to https://mail.teo-en-ming-corp.com.sg:10101


Username: root

Password: <CENSORED>


You can also configure SSL Certificate using Webmin. I will publish a guide on this in the future.


Also, 16 screenshots will be published in the future.


End of Guide

============





REFERENCES

==========


[1] https://lkml.org/lkml/2020/11/12/334


[2] http://lkml.iu.edu/hypermail/linux/kernel/2011.1/05835.html


[3] https://marc.info/?l=linux-kernel&m=160517678830022&w=2


[4] https://lwn.net/ml/linux-kernel/2a3eb9295792ffa6a4767552f72ef6cf%40teo-en-ming.com/


[5] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-November/029159.html


[6] https://mta.openssl.org/pipermail/openssl-users/2020-November/013133.html


[7] https://marc.info/?l=apache-httpd-users&m=160517877730629&w=2


[8] https://marc.info/?l=postfix-users&m=160517863730596&w=2


[9] https://dovecot.org/pipermail/dovecot/2020-November/120659.html


[10] https://sourceforge.net/p/webadmin/mailman/message/37149308/

Comments

Popular posts from this blog

[24 Mar 2022 Thursday] Erectile Dysfunction and Viagra

Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem