Set up Certbot And Create Certs
- Up to this point, we did not need handle SSL on the mail server. However, in order to securely handle mail exchange, we will need to provide a cert.
- If you would like to check all the services running on your mail server up to this point, run
sudo service --status-allto ponder on your achievements so far. - Sources:
- There are two ways of how to install and configure certbot – either by using your distributions default package manager, which means always being on an older version that may not support the newest features but is easier to maintain, OR by using a virtual python environment where you can stay away from the default package manager (i.e. APT).
- In our case, since we plan to use the CloudFlare plugin using API token (that we used earlier for OPNSense), as of the time of writing the article (10-2024), the package distribution version only supports the global API key, which is less safe. For the purpose of this article, both ways are provided:
OPTION 1: Use API token (recommended):
# WITH TOKEN sudo apt install python3-pip sudo apt install python3-venv # Create a new virtual environment for python3 sudo python3 -m venv /opt/certbot/ # Upgrade pip to the newest version sudo /opt/certbot/bin/pip install --upgrade pip # Install certbot in the virtual environment (to get the most recent version versus APT) sudo /opt/certbot/bin/pip install certbot certbot-dns-cloudflare # Make the certbot command reachable globally sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot # Create an .ini file and protect it to store the API key: sudo mkdir /root/.secrets sudo chmod 0700 /root/.secrets/ sudo touch /root/.secrets/cloudflare.ini sudo chmod 0400 /root/.secrets/cloudflare.ini # Open the file and append this line - replace XYZ with your actual API key: sudo nano /root/.secrets/cloudflare.ini dns_cloudflare_api_token = "XYZ" # Automate updates to pip + certbot + certbot-dns-cloudflare via crontab sudo nano crontab -e # Append the following two lines: # Update pip + certbot + CloudFlare plugin monthly @monthly sudo /opt/certbot/bin/pip install --upgrade pip certbot certbot-dns-cloudflare >/dev/null 2>&1
OPTION 2: Use Global API key:
# WITH GLOBAL API KEY # Install certbot sudo apt install -y certbot python3-certbot-dns-cloudflare sudo mkdir /root/.secrets sudo chmod 0700 /root/.secrets/ sudo touch /root/.secrets/cloudflare.ini sudo chmod 0400 /root/.secrets/cloudflare.ini sudo nano /root/.secrets/cloudflare.ini dns_cloudflare_email = "your-cloudflare-email-address" dns_cloudflare_api_key = "your-global-api-key-not-token" # Create a cert via the CloudFlare DNS route sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d mail.your-domain.tld --preferred-challenges dns-01
- Review your certificates – you will see that those are symlinks that lead to the archive directory.
sudo ls -lah /etc/letsencrypt/live/mail.your-domain.tld/
- There are four .pem files:
- cert.pem → the public part of the key
- chain.pem → an additional intermediary certificate in order to validate the server certificate
- fullchain.pem → all certs inc. the server certificate
- privkey.pem → the private part of the key that is only known to your server
Automate Certbot Certificate Renewals:
# Test a renewal sudo certbot renew -w /var/www/html/ --dry-run # Open crontab sudo crontab -e # Append the following two lines: # Certbot: Check if renewal is needed weekly and reload affected services @weekly certbot renew -w /var/www/html/ --quiet && systemctl reload dovecot postfix nginx