Bootstrap

ubuntu上申请Let‘s Encrypt HTTPS 证书

Ubuntu 16.04及以上版本通常自带Snapd,如果你的系统还没有安装,可以通过以下命令安装:
安装Certbot#
使用Snap安装Certbot,确保你获得的是最新版本:

bash
sudo snap install --classic certbot
  1. 准备Certbot命令#
    确保Certbot命令可以通过创建一个符号链接到/usr/bin目录中的命令来运行:
bash
sudo ln -s /snap/bin/certbot /usr/bin/certbot

实例

root@mail:~# apt-get install cerbot
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package cerbot
root@mail:~# exit
logout
wqbboy@mail:~$ sudo apt-get install cerbot
[sudo] password for wqbboy:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package cerbot
wqbboy@mail:~$ sudo apt install snapd
[sudo] password for wqbboy:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  zenity | kdialog
The following packages will be upgraded:
  snapd
1 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
Need to get 26.4 MB of archives.
After this operation, 2,134 kB of additional disk space will be used.
Get:1 http://cn.archive.ubuntu.com/ubuntu jammy-updates/main amd64 snapd d64 2.65.3+22.04 [26.4 MB]
Fetched 26.4 MB in 3s (9,407 kB/s)
(Reading database ... 89736 files and directories currently installed.)
Preparing to unpack .../snapd_2.65.3+22.04_amd64.deb ...
Unpacking snapd (2.65.3+22.04) over (2.63+22.04ubuntu0.1) ...
Setting up snapd (2.65.3+22.04) ...
Installing new version of config file /etc/apparmor.d/usr.lib.snapd.snap-nfine.real ...
snapd.failure.service is a disabled or a static unit not running, not staing it.
snapd.snap-repair.service is a disabled or a static unit not running, nottarting it.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes... [                                                  Scanning processes... [                                                  Scanning processes... [                                                  Scanning processes... [                                                  Scanning processes... [=                                                 Scanning processes... [=                                                  Scanning linux images... [=================================              Scanning linux images...                                                 

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binarie              s on this host.


查看版本


wqbboy@mail:~$ snap version
snap    2.65.3+22.04
snapd   2.65.3+22.04
series  16
ubuntu  22.04
kernel  5.15.0-124-generic
wqbboy@mail:~$ sudo snap install --classic certbot
certbot 2.11.0 from Certbot Project (certbot-eff✓) installed
wqbboy@mail:~$ ln -s /snap/bin/certbot /usr/bin/certbot
ln: failed to create symbolic link '/usr/bin/certbot': Permission denied
wqbboy@mail:~$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
[sudo] password for wqbboy:
wqbboy@mail:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

安装openssl


wqbboy@mail:~$ sudo apt-get install openssl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
openssl is already the newest version (3.0.2-0ubuntu1.18).
openssl set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.

wqbboy@mail:~$ cd /etc/nginx/
wqbboy@mail:/etc/nginx$ ls
conf-available  modules-available               sites-available.bak
conf.d          modules-enabled                 sites-enabled
conf-enabled    netdata.users                   sites-enabled.bak
fastcgi.conf    nginx.conf                      snippets
fastcgi_params  nginx.conf.2024.10.20.03.13.29  templates
koi-utf         proxy_params                    uwsgi_params
koi-win         scgi_params                     win-utf
mime.types      sites-available

生成私钥和 CSR(证书签名请求):

wqbboy@mail:/etc/nginx$ sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
.+......+.....+.+......+..+...............+...............+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+......+......+.+............+..+.+.....+...+.......+.....+....+.....+..........+........+.+..+...+.+...+...+...+......+......+........+.......+........+.+...+...............+............+.....+....+.....+.........+.+..........................+.+...+..+..........+.....+...+...............+......+......+.......+........+...+............+...+.+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....+..........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.+.....+...+.+........+.............+........+....+..+...+...+............+......................+...+......+...............+.....+....+.......................+...+................+...+............+......+..+.+..+.......+...+.................+.+......+...+..+..........+...+..................+..+.+...............+............+...+..+....+.....+...............+.+..+.+.....+......+.+.....+..................................+...+......+..+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
req: Can't open "/etc/nginx/ssl/nginx.key" for writing, No such file or directory
wqbboy@mail:/etc/nginx$ sudo mkdir ssl
wqbboy@mail:/etc/nginx$ ls
conf-available  modules-available               sites-available.bak
conf.d          modules-enabled                 sites-enabled
conf-enabled    netdata.users                   sites-enabled.bak
fastcgi.conf    nginx.conf                      snippets
fastcgi_params  nginx.conf.2024.10.20.03.13.29  ssl
koi-utf         proxy_params                    templates
koi-win         scgi_params                     uwsgi_params
mime.types      sites-available                 win-utf
wqbboy@mail:/etc/nginx$ sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
..+...+..........+...............+......+..+............+.+..+.............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.+.....+....+.........+..+..........+.....+....+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+.+...+.........+........+...+....+......+...........+.+..+...............+............+.+...............+........+......+...+............+...+...+....+...+...........+.+...+...+..+......+......+.+...+......+...............+.....+.+.....+...+.......+...+..............+.+.....+........................+......+.+........+.......+...+...+..............+......+...+..........+..+...............+....+...+...+...+..+....+......+..................+.....+.+...+...........+......+.+...+.........+..+...+..........+..+.....................+..........+..+......+..........+......+........+...+...+...................+..+...+............+....+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+.....+.+...........+....+.....+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+.........+.....+.+..+......+.........+..........+......+..+...+....+......+..............+...+......................+.....+.+...........+...+.+......+...........+...............+...+.......+..+.+...........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HUBEI
Locality Name (eg, city) []:XGS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GA
Organizational Unit Name (eg, section) []:ZHZX
Common Name (e.g. server FQDN or YOUR name) []:mail.xgpolice.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

生成自签名 SSL 证书:

wqbboy@mail:/etc/nginx$ sudo openssl x509 -req -days 3650 -in /etc/nginx/ssl/nginx.csr -signkey /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Certificate request self-signature ok
subject=C = CN, ST = HUBEI, L = XGS, O = GA, OU = ZHZX, CN = mail.xgpolice.com
wqbboy@mail:/etc/nginx$ sudo vi /etc/nginx/sites-available/00-default
00-default.conf      00-default-ssl.conf
wqbboy@mail:/etc/nginx$ sudo vi /etc/nginx/sites-available/00-default
00-default.conf      00-default-ssl.conf
wqbboy@mail:/etc/nginx$ sudo vi /etc/nginx/sites-available/00-default-ssl.conf

让我们在 /etc/nginx/snippets 目录下创建一个新的 Nginx 配置片段。

为了正确区分该文件的目的,让我们将其命名为 self-signed.conf:

在这个文件中,我们只需要将 ssl_certificate 指令设置为我们的证书文件,将

ssl_certificate_key 设置为相关的密钥。在我们的情况下,这将如下所示:

wqbboy@mail:/etc/nginx$ sudo nano /etc/nginx/snippets/self-signed.conf
wqbboy@mail:/etc/nginx$ sudo cat /etc/nginx/snippets/self-signed.conf
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
wqbboy@mail:/etc/nginx$ ls
conf-available  modules-available               sites-available.bak
conf.d          modules-enabled                 sites-enabled
conf-enabled    netdata.users                   sites-enabled.bak
fastcgi.conf    nginx.conf                      snippets
fastcgi_params  nginx.conf.2024.10.20.03.13.29  ssl
koi-utf         proxy_params                    templates
koi-win         scgi_params                     uwsgi_params
mime.types      sites-available                 win-utf
wqbboy@mail:/etc/nginx$ cd ssl
wqbboy@mail:/etc/nginx/ssl$ ls
nginx.crt  nginx.csr  nginx.key
wqbboy@mail:/etc/nginx/ssl$ cd /etc/nginx/sites-available
wqbboy@mail:/etc/nginx/sites-available$ ls
00-default.conf  00-default-ssl.conf
wqbboy@mail:/etc/nginx/sites-available$ sudo cp 00-default-ssl.conf 00-default-ssl.conf.bak
wqbboy@mail:/etc/nginx/sites-available$ ls
00-default.conf  00-default-ssl.conf  00-default-ssl.conf.bak
wqbboy@mail:/etc/nginx/sites-available$ sudo nano 00-default-ssl.conf

调整 Nginx 配置以使用 SSL

wqbboy@mail:/etc/nginx/sites-available$ cd ..
wqbboy@mail:/etc/nginx$ ls
conf-available  modules-available               sites-available.bak
conf.d          modules-enabled                 sites-enabled
conf-enabled    netdata.users                   sites-enabled.bak
fastcgi.conf    nginx.conf                      snippets
fastcgi_params  nginx.conf.2024.10.20.03.13.29  ssl
koi-utf         proxy_params                    templates
koi-win         scgi_params                     uwsgi_params
mime.types      sites-available                 win-utf
wqbboy@mail:/etc/nginx$ ls
conf-available  modules-available               sites-available.bak
conf.d          modules-enabled                 sites-enabled
conf-enabled    netdata.users                   sites-enabled.bak
fastcgi.conf    nginx.conf                      snippets
fastcgi_params  nginx.conf.2024.10.20.03.13.29  ssl
koi-utf         proxy_params                    templates
koi-win         scgi_params                     uwsgi_params
mime.types      sites-available                 win-utf
wqbboy@mail:/etc/nginx$ ls snippets/
fastcgi-php.conf  self-signed.conf  snakeoil.conf
wqbboy@mail:/etc/nginx$ ls ssl/
nginx.crt  nginx.csr  nginx.key
wqbboy@mail:/etc/nginx$ ls sites-available
00-default.conf  00-default-ssl.conf  00-default-ssl.conf.bak
wqbboy@mail:/etc/nginx$ cd sites-available
wqbboy@mail:/etc/nginx/sites-available$ ls
00-default.conf  00-default-ssl.conf  00-default-ssl.conf.bak
wqbboy@mail:/etc/nginx/sites-available$ sudo nano 00-default-ssl.conf


配置 Nginx 以使用自签名 SSL 证书:

wqbboy@mail:/etc/nginx/sites-available$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
wqbboy@mail:/etc/nginx/sites-available$ sudo systemctl restart nginx
wqbboy@mail:/etc/nginx/sites-available$

修改这个文件的ssl证书的key和crt文件路径。

wqbboy@mail:/etc/nginx/sites-available$ sudo vi /etc/nginx/templates/ssl.tmpl
[sudo] password for wqbboy:
wqbboy@mail:/etc/nginx/sites-available$ sudo vi /etc/nginx/templates/ssl.tmpl

修改完后需要重新加载一下nginx配置

wqbboy@mail:/etc/nginx/sites-available$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
wqbboy@mail:/etc/nginx/sites-available$ sudo nginx -s reload
wqbboy@mail:/etc/nginx/sites-available$ systemctl reload nginx
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to reload 'nginx.service'.
Authenticating as: wqbboy
Password:
==== AUTHENTICATION COMPLETE ===
wqbboy@mail:/etc/nginx/sites-available$

配置 postfix

编辑 /etc/postfix/main.cf 文件以使用 SSL 证书。

wqbboy@mail:/etc/nginx/sites-available$ sudo vi /etc/postfix/main.cf
wqbboy@mail:/etc/nginx/sites-available$ cat /etc/postfix/main.cf | grep smtpd
smtpd_tls_key_file = /etc/nginx/ssl/nginx.key
smtpd_tls_cert_file = /etc/nginx/ssl/nginx.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
#smtpd_tls_received_header = yes
# Use the same CA file as smtpd.
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
smtpd_end_of_data_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes
smtpd_sender_login_maps =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
wqbboy@mail:/etc/nginx/sites-available$ cat /etc/postfix/main.cf | grep smtpd_tls
smtpd_tls_key_file = /etc/nginx/ssl/nginx.key
smtpd_tls_cert_file = /etc/nginx/ssl/nginx.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
#smtpd_tls_received_header = yes
#smtpd_tls_auth_only = yes
wqbboy@mail:/etc/nginx/sites-available$ sudo systemctl restart postfix

配置 dovecot
编辑 /etc/dovecot/dovecot.conf文件以使用 SSL 证书。

wqbboy@mail:/etc/nginx/sites-available$ sudo vi /etc/dovecot/dovecot.conf
wqbboy@mail:/etc/nginx/sites-available$ cat /etc/dovecot/dovecot.conf | greep ssl_
Command 'greep' not found, did you mean:
  command 'grep' from deb grep (3.7-1build1)
  command 'greed' from deb greed (4.2-1)
Try: sudo apt install <deb name>
wqbboy@mail:/etc/nginx/sites-available$ cat /etc/dovecot/dovecot.conf | grep ssl_
ssl_min_protocol = TLSv1.2
#ssl_ca = </path/to/ca
ssl_cert = </etc/nginx/ssl/nginx.crt
ssl_key = </etc/nginx/ssl/nginx.key
ssl_dh = </etc/ssl/dh2048_param.pem
ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH
ssl_prefer_server_ciphers = yes
wqbboy@mail:/etc/nginx/sites-available$

重启 Dovecot


wqbboy@mail:/etc/nginx/sites-available$ sudo systemctl restart dovecot
wqbboy@mail:/etc/nginx/sites-available$

;