Server - Contents

SSL Certificate(s) for Websites

revised: 22-Jun-2022

Reference: certbot.eff.org-snap-debian
Internet trend now disencourages non-secure websites; that is those which do not communicate via an encrypted link, eg. https:// Fortunately one can freely secure a SSL Certificate and easily reconfigure one’s webserver to create websites that operate via SSL. The process here is described in two steps: Obtaining the Certificate and secondly, reconfiguring the Nginx webserver.

Part A – Obtaining the SSL Certificate: Using Cerbot

Prerequisites: a. Basic Server (Debian 10) with Webmin, FTP, Firewall and Nginx Webserver together with iRedmail
Assumption: The existing Nginx webserver is already hosting one, two or more websites (example1.com, example2.com ….), running under the usual http:// procotol.

Install Procedure:

Logon to the server via PuTTY, using a regular user (eg. sammy)

sammy@imega:$ sudo apt update -y && sudo apt-get upgrade -y
sammy@imega:$ sudo apt install software-properties-common
sammy@imega:$ sudo apt update
sammy@imega:$ sudo apt install snapd
sammy@imega:$ sudo snap install core; sudo snap refresh core
sammy@imega:$ sudo snap install --classic certbot

Get Started:

With your domain active and with the Nginx webserver providing a virtual host for that domain and rendering a single index page with simply 'It works!' as per the instructions outlined in 3-Page Website-PartB
Do the following:

sammy@imega:$ sudo dig +short -t a myexample.com // replace with your domain to verify this DNS setting.
sammy@imega:$ sudo certbot certonly --dry-run -w /var/www/html -d myexample.com -d mail.myexample.com -d www.myexample.com // using "dry-run" test the success of this request. Note: Shut down the webserver and choose "standalone" option.

If successful, repeat but remove '--dry-run'

Note: if 'cerbot' is not running,
Option 1. reboot
Option 2. check the following:
sammy@imega:$ sudo systemctl status apparmor.service
if not running, change 'status' to 'start' and re-run the command
Option 3, if certbot is not found, execute next command:
sammy@imega:$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

The above command will result in delivering one certificate that covers mail.myexample.com. A message beginning with ‘IMPORTANT NOTES:’ will provide one with three important files and their locations:
a. /etc/letsencrypt/live/myexample.com/privkey.pem // the chain
b. /etc/letsencrypt/live/example.com/fullchain.pem // the fullchain certificate

Completion: link to iRedmail app

With the certificate successfully installed, do the following:

sammy@imega:$ su // become root
root@imega:$ cd /etc/ssl/certs
root@imega:/etc/ssl/certs$ mv iRedMail.crt iRedMail.crt.bak
root@imega:/etc/ssl/certs$ cd ../private
root@imega:/etc/ssl/private$ mv iRedMail.key iRedMail.key.bak
root@imega:/etc/ssl/private$ ln -s /etc/letsencrypt/live/myexample.com/fullchain.pem /etc/ssl/certs/iRedMail.crt
root@imega:/etc/ssl/private$ ln -s /etc/letsencrypt/live/myexample.com/privkey.pem /etc/ssl/private/iRedMail.key
root@imega:/etc/ssl/private$ reboot // may not be necessary.

Testing:

The certificate expires in 90 days but 'snapd' should renew it automatically. If not, run the following:

sammy@imega:$ sudo certbot renew --dry-run //testing first, and if succesful, then remove '--dry-run' thereafter.

Checking expiry date:

sammy@imega:$ sudo certbot certificates

Extending the Certificate:

Having your website served Nginx webserver, shut down the webserver and do the following:

sammy@imega:$ certbot certonly --dry-run -d myexample.com -d myexample.com -d www.myexample.com -d mail.myexample.com [and then continue with the other additional domains] -d myexample2.com -d mail.myexample2.com (etc.) // Choose 'standalone' option and if successful, remove "--dry-run" and resubmit.
Certbot-Nginx: PartB Certbot-Extras