summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf16
-rw-r--r--server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf11
-rw-r--r--server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf2
-rw-r--r--server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf55
-rwxr-xr-xserver/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache5
-rwxr-xr-xserver/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot5
-rwxr-xr-xserver/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail5
-rw-r--r--server/setup/05-service-settings/etc/mail/sendmail.mc24
8 files changed, 101 insertions, 22 deletions
diff --git a/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf b/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
new file mode 100644
index 0000000..60a41a6
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
@@ -0,0 +1,16 @@
+Alias "/.well-known/acme-challenge/" "/srv/www/jogamp.org/.well-known/acme-challenge/"
+<Directory "/srv/www/jogamp.org/.well-known/acme-challenge/">
+ Require all granted
+</Directory>
+
+RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/.*
+RewriteRule ^ - [L]
+
+# RewriteEngine On
+# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*
+# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
+
+# Install letsencrypt `certbot` and create cert via `certbot certonly`
+# using webroot `/srv/www/jogamp.org` for cert `jogamp.org mail.jogamp.org`.
+# Then ensure to reload apache, restart sendmail, dovecot etc via
+# /etc/letsencrypt/renewal-hooks/deploy scripts.
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
index 46582be..fe6124c 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
@@ -84,8 +84,11 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
- SSLCertificateFile /etc/ssl/local/jogamp2025a.org.crt.pem
- SSLCertificateKeyFile /etc/ssl/local/jogamp2025a.org.key.apache.pem
+ #SSLCertificateFile /etc/ssl/local/jogamp2025a.org.crt.pem
+ #SSLCertificateKeyFile /etc/ssl/local/jogamp2025a.org.key.apache.pem
+
+ SSLCertificateFile /etc/letsencrypt/live/jogamp.org/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/jogamp.org/privkey.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@@ -100,7 +103,7 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
#SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert3-20151105.pem
#SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert4-20171102.pem
#SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert5-20181102.pem
- SSLCertificateChainFile /etc/ssl/local/jogamp2025a.org.ca.pem
+ #SSLCertificateChainFile /etc/ssl/local/jogamp2025a.org.ca.pem
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
@@ -214,6 +217,8 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
# configures the footer on server-generated documents
ServerSignature On
+ Include /etc/apache2/acme-and-redirect.conf
+
<Directory "/srv/www/jogamp.org">
Options Indexes FollowSymLinks
AllowOverride All
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
index 90ac67b..935d12e 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
@@ -25,6 +25,8 @@
# configures the footer on server-generated documents
ServerSignature On
+ Include /etc/apache2/acme-and-redirect.conf
+
<Directory "/srv/www/jogamp.org">
Options Indexes FollowSymLinks
AllowOverride All
diff --git a/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf b/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf
index dd3183c..140e418 100644
--- a/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf
+++ b/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf
@@ -10,10 +10,12 @@ ssl = required
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-#ssl_cert = </etc/dovecot/dovecot.pem
-#ssl_key = </etc/dovecot/private/dovecot.pem
-ssl_cert = </etc/ssl/local/jogamp2013-hostcert.pem
-ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem
+#ssl_cert = </etc/dovecot/private/dovecot.pem
+#ssl_key = </etc/dovecot/private/dovecot.key
+#ssl_cert = </etc/ssl/local/jogamp2025a.org.crt.pem
+#ssl_key = </etc/ssl/local/jogamp2025a.org.key.mail.pem
+ssl_cert = </etc/letsencrypt/live/jogamp.org/fullchain.pem
+ssl_key = </etc/letsencrypt/live/jogamp.org/privkey.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -25,11 +27,20 @@ ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
-ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+#ssl_ca = </etc/ssl/local/thawte-ca-cert5-20181102.pem
+#ssl_ca = </etc/ssl/local/jogamp2025a.org.ca.pem
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
+#ssl_client_ca_file =
+
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
@@ -39,16 +50,34 @@ ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
-# How often to regenerate the SSL parameters file. Generation is quite CPU
-# intensive operation. The value is in hours, 0 disables regeneration
-# entirely.
-#ssl_parameters_regenerate = 168
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+#ssl_dh = </usr/share/dovecot/dh.pem
+ssl_dh = </etc/ssl/local/dhparams-4096.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+#ssl_min_protocol = TLSv1
-# SSL protocols to use
-#ssl_protocols = !SSLv2
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-# SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+# compression - Enable compression.
+# no_ticket - Disable SSL session tickets.
+#ssl_options =
diff --git a/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache
new file mode 100755
index 0000000..735c87f
--- /dev/null
+++ b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+# vim: ai ts=4 sts=4 et sw=4
+
+/usr/bin/systemctl reload apache2
+
diff --git a/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot
new file mode 100755
index 0000000..bb5425e
--- /dev/null
+++ b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+# vim: ai ts=4 sts=4 et sw=4
+
+/usr/bin/systemctl restart dovecot
+
diff --git a/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail
new file mode 100755
index 0000000..0bb1eca
--- /dev/null
+++ b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+# vim: ai ts=4 sts=4 et sw=4
+
+/usr/bin/systemctl restart sendmail
+
diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc
index 79f8a91..bc01d9a 100644
--- a/server/setup/05-service-settings/etc/mail/sendmail.mc
+++ b/server/setup/05-service-settings/etc/mail/sendmail.mc
@@ -129,18 +129,30 @@ dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
-define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confDH_PARAMETERS',`/etc/ssl/local/dhparams-4096.pem')dnl
dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confCACERT', `/etc/ssl/local/thawte-ca-cert5-20181102.pem')dnl
-define(`confCACERT', `/etc/ssl/local/jogamp2025a.org.ca.pem')dnl
-define(`confSERVER_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
-define(`confSERVER_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
-define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
-define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
+
+dnl define(`confCACERT_PATH', `/etc/ssl/certs')dnl
+dnl define(`confCACERT', `/etc/ssl/local/jogamp2025a.org.ca.pem')dnl
+dnl define(`confSERVER_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
+dnl define(`confSERVER_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
+dnl define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
+dnl define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
+
+define(`CERT_DIR', `/etc/letsencrypt/live/jogamp.org')
+define(`confCACERT_PATH', `CERT_DIR')
+define(`confCACERT', `CERT_DIR/fullchain.pem')
+define(`confSERVER_CERT', `CERT_DIR/cert.pem')
+define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
+define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
+define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')
+
+define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
+
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-28 18:27:11 +0000