I'll help edit it if someone else that is currently going through
it wants to start it. Maybe set up a google doc and give some
people edit access. Or give read only access and we can drop
comments/suggestions back here for someone to edit. It's been a
long time since I set it up from scratch, so I'm a bit rusty on
that.
It shouldn't be too hard to come up with something. I like to do everything "standard" via the RH/Rocky way of doing it. That way dnf updates work and I don't have as much maintenance. So I don't compile, customize anything unless I'm forced to.
The only special part on my install is the script to "cat" the certs and create a servercert.pem. Especially with your new updates, if it works with ECDSA certs, then no need for that custom rsa 2048 config part.
With that, it should just be installing httpd, certbot, and doing
a standard config for the server name. The only complication being
if you use different names.. e.g. webmail.domain.com and
mail.domain.com or something. It's much simpler if you use the
same name for both since letsencrypt queries back to the dns name
you set up on apache to validate. If you don't use the same name,
you either have to set up a dummy virtualhost in apache to do the
challenge validation on that name, or you have to use another
challenge method like DNS-01 to update your certs. Toaster doc
should probably have examples of both.
Here's a generic letsencrypt setup for Rocky 8/9 and apache.
Needs some tweaks to do the challenge verification back to your
roundcube apache virtualhost instead of the default /var/www/html/
query. Or if you have separate names you can use the
/var/www/html/ for the dummy virtualhost to get your mail server
certs, but you'll still need another one for the roundcube
virtualhost.
https://www.cyberciti.biz/faq/how-to-secure-apache-with-lets-encrypt-certificates-on-rhel-8/
Hope this helps.. Gary
Anyone feel like doing a write-up and I'll put it on the wiki?--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
On 4/15/2024 11:18 AM, Gary Bowling wrote:
Ah, right. Actually it looks like I can just place my script that I currently run in my cron job in the /etc/letsencrypt/renewal-hooks/post/ directory and it will run as a "post renew" script.
Thanks for that.
Gary
On 4/15/2024 1:04 PM, William Silverstein wrote:
I would not use a cron script. I use --deploy-hook option on the--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
certbot-auto to handle it.
On Mon, April 15, 2024 9:59 am, Gary Bowling wrote:
Great. One question. Seems like everything on my server uses
/var/qmail/control/servercert.pem for the cert. Dovecot and qmail
all use that file. And I have a cron job that runs once a month to
check for a new letsencrypt cert and if there is one it copies it
over to servercert.pem to update my mail server.
Is that the correct way to handle that? Or is that something that is
left over from my old server that I moved over?
Thanks, Gary
On 4/15/2024 12:44 PM, Eric Broch wrote:
Neither,
/var/qmail/control/dh2048.pem
/var/qmail/control/rsa2048.pem
On 4/15/2024 10:33 AM, Gary Bowling wrote:
Thanks, will still require rsa?
On 4/15/2024 10:47 AM, Eric Broch wrote:
My next iteration on EL9 will remove keysize it's deprecated,
has been for a while. Should have the new code out within the
week.
SSL_CTX_set_tmp_rsa_callback · openssl/openssl ·
Discussion #23769 (github.com)
On 4/15/2024 6:25 AM, Gary Bowling wrote:
Hey Jeff, glad you're making progress. Be aware that when
you get a new cert from Letsencrypt that the default now
retrieves an ECDSA cert. Which is fine for apache, but
doesn't work on qmail, or at least it didn't for me. To fix
that you'll need to configure letsencrypt to give you an RSA
2048 cert.
There are two ways to do that. If you want all your certs to
be RSA 2048, you can add this to the
/etc/letsencrypt/cli.ini file.
key-type = rsa
rsa-key-size = 2048
If you just want to do that for your keys you use in qmail,
then you can put the above in the
/etc/letsencrypt/renewal/domain.conf file. Where "domain" is
the name of the cert you're renewing. Certbot creates the
file so it should already be there.
Gary
On 4/14/2024 10:39 PM, Jeff Koch wrote:
I may have resolved this. I did
the Rocy9
distro install of apache and
copied the
mod_http2.so file over to our
install of apache. Seems
to work (no errors)
but I won't know for sure until
we setup Lets
Encrypt SSL certbot tomorrow
Jeff
On 4/14/2024 3:11 PM, Jeff Koch wrote:
Hi - we're setting up a new mailserver with Rocky 9 and
the learning curve is slow as is usual with
the first time with a new distro.
Anyway because our various scripts look for apache at
/usr/local/apache/ we've decided to compile
our own binary with the latest apache and
have run into trouble / errors related to
'nghttp2'.
We did download, compile and install the latest
nghttp2-1.61.0 from github. The configure and make
went well and http1.1 works but apache
generates the following error when we
activate mod_http2
 (Cannot load modules/mod_http2.so into server:
/usr/local/apache2/modules/mod_http2.so: undefined
symbol:
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)
If anyone on the list has compiled their own httpd
2.4.59 with Rocky 9 would you mind sharing the
details ?
Thanks, Jeff Koch
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For
additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For
additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com