Certificado Let’s Encrypt¶
Fuentes
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
Probado en Fedora y Centos
yum install certbot
vim /etc/nginx/default.d/le-well-known.conf
location ~ /.well-known {
allow all;
}
systemctl restart nginx
certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d MIDOMINIO.com -d www.MIDOMINIO.com -d mail.MIDOMINIO.com
Pide un email, cuando todo haya salido bien.
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Actualizar el certificado, dura 3 meses.
certbot renew
Cron¶
sudo crontab -e
MAILTO=MIUSUARIO@MIDOMINIO.com
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
35 2 * * 1 /usr/bin/systemctl reload nginx
Nginx¶
Para Nginx uso esta plantilla: https://github.com/snicoper/django-boilerplate/blob/master/compose/configs/nginx_https.conf
Quitar de /etc/nginx/nginx.conf
default_server
o dará error.
Postfix¶
Para la configuración de Postfix
En vim /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/MIDOMINIO.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/MIDOMINIO.com/privkey.pem
Y en /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/letsencrypt/live/MIDOMINIO.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/MIDOMINIO.com/privkey.pem
Firewalld¶
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload