Certificado Let’s Encrypt

Fuentes

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7


Probado en Fedora y Centos

yum install certbot
vim /etc/nginx/default.d/le-well-known.conf
location ~ /.well-known {
  allow all;
}

systemctl restart nginx
certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d MIDOMINIO.com -d www.MIDOMINIO.com -d mail.MIDOMINIO.com

Pide un email, cuando todo haya salido bien.

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Actualizar el certificado, dura 3 meses.

certbot renew

Cron

sudo crontab -e
MAILTO=MIUSUARIO@MIDOMINIO.com

30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
35 2 * * 1 /usr/bin/systemctl reload nginx

Nginx

Para Nginx uso esta plantilla: https://github.com/snicoper/django-boilerplate/blob/master/compose/configs/nginx_https.conf

Quitar de /etc/nginx/nginx.conf default_server o dará error.

Postfix

Para la configuración de Postfix

En vim /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/letsencrypt/live/MIDOMINIO.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/MIDOMINIO.com/privkey.pem

Y en /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/MIDOMINIO.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/MIDOMINIO.com/privkey.pem

Firewalld

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload