174 lines
9.1 KiB
HTML
174 lines
9.1 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Use a bought SSL certificate</title>
|
|
<link href="./css/markdown.css" rel="stylesheet"></head>
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
|
|
|
// <a href="./index.html">Document Index</a>
|
|
</div><h1 id="use-a-bought-ssl-certificate">Use a bought SSL certificate</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#use-a-bought-ssl-certificate">Use a bought SSL certificate</a><ul>
|
|
<li><a href="#generate-ssl-private-key-and-buy-one-ssl-certificate">Generate SSL private key and buy one SSL certificate</a></li>
|
|
<li><a href="#configure-postfixdovecotapachenginx-to-use-bought-ssl-certificate">Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate</a><ul>
|
|
<li><a href="#postfix-smtp-server">Postfix (SMTP server)</a></li>
|
|
<li><a href="#dovecot-pop3imap-server">Dovecot (POP3/IMAP server)</a></li>
|
|
<li><a href="#apache-web-server">Apache (web server)</a></li>
|
|
<li><a href="#nginx-web-server">Nginx (web server)</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<p>iRedMail generates a self-signed SSL certificate during installation, it's
|
|
fine if you just want to secure the network connections (POP3/IMAP/SMTP over
|
|
TLS, HTTPS), but mail clients or web browsers will promot a annoying message
|
|
to warn you this self-signed certificate is not trusted. To avoid this
|
|
annoying message, you have to buy a SSL certificate from SSL certificate
|
|
provider. Search <code>buy ssl certificate</code> in Google will give you many SSL
|
|
providers, choose the one you prefer.</p>
|
|
<blockquote>
|
|
<p><a href="http://www.startssl.com/?app=1">StartSSL.com offers free one-year certificate</a>.</p>
|
|
</blockquote>
|
|
<h2 id="generate-ssl-private-key-and-buy-one-ssl-certificate">Generate SSL private key and buy one SSL certificate</h2>
|
|
<p>First of all, you need to generate a new SSL certificate on your server
|
|
with <code>openssl</code> command. WARNING: do NOT use key length smaller than <code>2048</code> bit,
|
|
it's insecure.</p>
|
|
<pre><code>openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
|
|
</code></pre>
|
|
|
|
<p>This command will generate two files:</p>
|
|
<ul>
|
|
<li><code>server.key</code>: the private key for the decryption of your SSL certificate.</li>
|
|
<li><code>server.csr</code>: the certificate signing request (CSR) file used to apply
|
|
for your SSL certificate. </li>
|
|
</ul>
|
|
<p>The openssl command will prompt for the following X.509 attributes of the
|
|
certificate:</p>
|
|
<ul>
|
|
<li><code>Country Name (2 letter code)</code>: Use the two-letter code without punctuation
|
|
for country. for example: US, CA, CN.</li>
|
|
<li><code>State or Province Name (full name)</code>: Spell out the state completely; do not
|
|
abbreviate the state or province name, for example: California.</li>
|
|
<li><code>Locality Name (eg, city)</code>: City or town name, for example: Berkeley.</li>
|
|
<li><code>Organization Name (eg, company)</code>: Your company name.</li>
|
|
<li><code>Organizational Unit Name (eg, section)</code>: The name of the department or
|
|
organization unit making the request.</li>
|
|
<li><code>Common Name (e.g. server FQDN or YOUR name)</code>: server FQDN or your name.</li>
|
|
<li><code>Email Address []</code>: your full email address.</li>
|
|
<li><code>A challenge password []</code>: type a password for this ssl certificate.</li>
|
|
<li><code>An optional company name []</code>: an optional company name.</li>
|
|
</ul>
|
|
<p>NOTE: Some certificates can only be used on web servers using the <code>Common Name</code>
|
|
specified during enrollment. For example, a certificate for the domain
|
|
<code>domain.com</code> will receive a warning if accessing a site named <code>www.domain.com</code>
|
|
or <code>secure.domain.com</code>, because <code>www.domain.com</code> and <code>secure.domain.com</code> are
|
|
different from <code>domain.com</code>.</p>
|
|
<p>Now you have two files: <code>server.key</code> and <code>server.csr</code>. Go to the website of
|
|
your preferred SSL privider, it will ask you to upload <code>server.csr</code> file to
|
|
issue an SSL certificate.</p>
|
|
<p>Usually, SSL provider will give you 2 files:</p>
|
|
<ul>
|
|
<li>server.crt</li>
|
|
<li>server.ca-bundle</li>
|
|
</ul>
|
|
<p>We need above 2 files, and <code>server.key</code>. Upload them to your server, you can
|
|
store them in any directory you like, recommended directories are:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS: <code>server.crt</code> and <code>server.ca-bundle</code> should be placed under
|
|
<code>/etc/pki/tls/certs/</code>, <code>server.key</code> should be <code>/etc/pki/tls/private/</code>.</li>
|
|
<li>on Debian/Ubuntu, FreeBSD: <code>server.crt</code> and <code>server.ca-bundle</code> should be
|
|
placed under <code>/etc/ssl/certs/</code>, <code>server.key</code> should be <code>/etc/ssl/private/</code>.</li>
|
|
<li>on OpenBSD: <code>/etc/ssl/</code>.</li>
|
|
</ul>
|
|
<h2 id="configure-postfixdovecotapachenginx-to-use-bought-ssl-certificate">Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate</h2>
|
|
<p>We use CentOS for example in below tutorial, please adjust the file to correct
|
|
one on your server.</p>
|
|
<h3 id="postfix-smtp-server">Postfix (SMTP server)</h3>
|
|
<p>We can use <code>postconf</code> command to update SSL related settings directly:</p>
|
|
<pre><code>postconf -e smtpd_use_tls='yes'
|
|
postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/server.crt'
|
|
postconf -e smtpd_tls_key_file='/etc/pki/tls/private/server.key'
|
|
postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
|
|
</code></pre>
|
|
|
|
<p>Restarting Postfix service is required.</p>
|
|
<h3 id="dovecot-pop3imap-server">Dovecot (POP3/IMAP server)</h3>
|
|
<p>SSL certificate settings are defined in Dovecot main config file,
|
|
<code>/etc/dovecot/dovecot.conf</code> (Linux/OpenBSD) or
|
|
<code>/usr/local/etc/dovecot/dovecot.conf</code> (FreeBSD):</p>
|
|
<pre><code>ssl = required
|
|
ssl_cert = </etc/pki/tls/certs/server.crt
|
|
ssl_key = </etc/pki/tls/private/server.key
|
|
ssl_ca = </etc/pki/tls/certs/server.ca-bundle
|
|
</code></pre>
|
|
|
|
<p>Restarting Dovecot service is required.</p>
|
|
<h3 id="apache-web-server">Apache (web server)</h3>
|
|
<ul>
|
|
<li>On RHEL/CentOS, SSL certificate is defined in <code>/etc/httpd/conf.d/ssl.conf</code>.</li>
|
|
<li>On Debian/Ubuntu, it's defined in <code>/etc/apache2/sites-available/default-ssl</code>
|
|
(or <code>default-ssl.conf</code>)</li>
|
|
<li>On FreeBSD, it's defined in <code>/usr/local/etc/apache24/extra/httpd-ssl.conf</code>. Note:
|
|
if you're running different version of Apache, the path will be slightly
|
|
different (<code>apache24</code> will be <code>apache[_version_]</code>).</li>
|
|
<li>On OpenBSD, if you're running OpenBSD 5.5 or earlier releases, it's defined
|
|
in <code>/var/www/conf/httpd.conf</code>. Note: OpenBSD 5.6 and later releases don't
|
|
ship Apache anymore.</li>
|
|
</ul>
|
|
<p>Example:</p>
|
|
<pre><code>SSLCertificateFile /etc/pki/tls/certs/server.crt
|
|
SSLCertificateKeyFile /etc/pki/tls/private/server.key
|
|
SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
|
|
</code></pre>
|
|
|
|
<p>Restarting Apache service is required.</p>
|
|
<h3 id="nginx-web-server">Nginx (web server)</h3>
|
|
<ul>
|
|
<li>On Linux and OpenBSD, it's defined in <code>/etc/nginx/conf.d/default.conf</code>.</li>
|
|
<li>On FreeBSD, it's defined in <code>/usr/local/etc/nginx/conf.d/default.conf</code>.</li>
|
|
</ul>
|
|
<pre><code>server {
|
|
listen 443;
|
|
...
|
|
ssl on;
|
|
ssl_certificate /etc/pki/tls/server.crt;
|
|
ssl_certificate_key /etc/pki/tls/private/server.key;
|
|
...
|
|
}
|
|
</code></pre>
|
|
|
|
<p>Some browsers may complain about a certificate signed by a well-known
|
|
certificate authority, while other browsers may accept the certificate without
|
|
issues. This occurs because the issuing authority has signed the server
|
|
certificate using an intermediate certificate that is not present in the
|
|
certificate base of well-known trusted certificate authorities which is
|
|
distributed with a particular browser. In this case the authority provides a
|
|
bundle of chained certificates which should be concatenated to the signed
|
|
server certificate. The server certificate must appear before the chained
|
|
certificates in the combined file:</p>
|
|
<pre><code># cd /etc/pki/tls/certs/
|
|
# cat server.crt server.ca-bundle > server.chained.crt
|
|
</code></pre>
|
|
|
|
<p>Then update <code>ssl_certificate</code> parameter in <code>/etc/nginx/conf.d/default.conf</code>:</p>
|
|
<pre><code> ssl_certificate /etc/pki/tls/server.chained.crt;
|
|
</code></pre>
|
|
|
|
<p>Restarting Nginx service is required.</p>
|
|
<p>Reference: <a href="http://nginx.org/en/docs/http/configuring_https_servers.html">Configuring HTTPS servers</a></p><p style="text-align: center; color: grey;">Document published under a <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">CC BY-ND 3.0</a> license. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.<script>
|
|
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
|
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
|
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
|
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
|
|
|
|
ga('create', 'UA-3293801-21', 'auto');
|
|
ga('send', 'pageview');
|
|
</script>
|
|
</body></html> |