From c99798f5f094ffeb5c77e43f18b4b8c75dd4cf49 Mon Sep 17 00:00:00 2001
From: Sven Göthel <sgothel@jausoft.com>
Date: Sun, 2 Mar 2025 20:33:06 +0100
Subject: Use letsencrypt for apache2, dovecot and sendmail (see
 /etc/apache2/acme-and-redirect.conf)

---
 .../etc/apache2/acme-and-redirect.conf             | 16 +++++++
 .../apache2/sites-available/jogamp_org-ssl.conf    | 11 +++--
 .../etc/apache2/sites-available/jogamp_org.conf    |  2 +
 .../etc/dovecot/conf.d/10-ssl.conf                 | 55 +++++++++++++++++-----
 .../etc/letsencrypt/renewal-hooks/deploy/apache    |  5 ++
 .../etc/letsencrypt/renewal-hooks/deploy/dovecot   |  5 ++
 .../etc/letsencrypt/renewal-hooks/deploy/sendmail  |  5 ++
 .../setup/05-service-settings/etc/mail/sendmail.mc | 24 +++++++---
 8 files changed, 101 insertions(+), 22 deletions(-)
 create mode 100644 server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
 create mode 100755 server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache
 create mode 100755 server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot
 create mode 100755 server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail

diff --git a/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf b/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
new file mode 100644
index 0000000..60a41a6
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
@@ -0,0 +1,16 @@
+Alias "/.well-known/acme-challenge/" "/srv/www/jogamp.org/.well-known/acme-challenge/"
+<Directory "/srv/www/jogamp.org/.well-known/acme-challenge/">
+    Require all granted
+</Directory>
+
+RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/.*
+RewriteRule ^ - [L]
+
+# RewriteEngine On
+# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*
+# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
+
+# Install letsencrypt `certbot` and create cert via `certbot certonly` 
+# using webroot `/srv/www/jogamp.org` for cert `jogamp.org mail.jogamp.org`.
+# Then ensure to reload apache, restart sendmail, dovecot etc via
+# /etc/letsencrypt/renewal-hooks/deploy scripts.
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
index 46582be..fe6124c 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
@@ -84,8 +84,11 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
-    SSLCertificateFile /etc/ssl/local/jogamp2025a.org.crt.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2025a.org.key.apache.pem
+    #SSLCertificateFile /etc/ssl/local/jogamp2025a.org.crt.pem
+    #SSLCertificateKeyFile /etc/ssl/local/jogamp2025a.org.key.apache.pem
+
+    SSLCertificateFile /etc/letsencrypt/live/jogamp.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/jogamp.org/privkey.pem
 
 	#   Server Certificate Chain:
 	#   Point SSLCertificateChainFile at a file containing the
@@ -100,7 +103,7 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
     #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert3-20151105.pem
     #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert4-20171102.pem
     #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert5-20181102.pem
-    SSLCertificateChainFile /etc/ssl/local/jogamp2025a.org.ca.pem
+    #SSLCertificateChainFile /etc/ssl/local/jogamp2025a.org.ca.pem
 
 	#   Certificate Authority (CA):
 	#   Set the CA certificate verification path where to find CA
@@ -214,6 +217,8 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
     # configures the footer on server-generated documents
     ServerSignature On
 
+    Include /etc/apache2/acme-and-redirect.conf
+
 	<Directory "/srv/www/jogamp.org">
 	    Options Indexes FollowSymLinks
 	    AllowOverride All
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
index 90ac67b..935d12e 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
@@ -25,6 +25,8 @@
     # configures the footer on server-generated documents
     ServerSignature On
 
+    Include /etc/apache2/acme-and-redirect.conf
+
 	<Directory "/srv/www/jogamp.org">
 	    Options Indexes FollowSymLinks
 	    AllowOverride All
diff --git a/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf b/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf
index dd3183c..140e418 100644
--- a/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf
+++ b/server/setup/05-service-settings/etc/dovecot/conf.d/10-ssl.conf
@@ -10,10 +10,12 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-#ssl_cert = </etc/dovecot/dovecot.pem
-#ssl_key = </etc/dovecot/private/dovecot.pem
-ssl_cert = </etc/ssl/local/jogamp2013-hostcert.pem
-ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem
+#ssl_cert = </etc/dovecot/private/dovecot.pem
+#ssl_key = </etc/dovecot/private/dovecot.key
+#ssl_cert = </etc/ssl/local/jogamp2025a.org.crt.pem
+#ssl_key = </etc/ssl/local/jogamp2025a.org.key.mail.pem
+ssl_cert = </etc/letsencrypt/live/jogamp.org/fullchain.pem
+ssl_key = </etc/letsencrypt/live/jogamp.org/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -25,11 +27,20 @@ ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
-ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+#ssl_ca = </etc/ssl/local/thawte-ca-cert5-20181102.pem
+#ssl_ca = </etc/ssl/local/jogamp2025a.org.ca.pem
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
 
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
+#ssl_client_ca_file =
+
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
@@ -39,16 +50,34 @@ ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# How often to regenerate the SSL parameters file. Generation is quite CPU
-# intensive operation. The value is in hours, 0 disables regeneration
-# entirely.
-#ssl_parameters_regenerate = 168
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+#ssl_dh = </usr/share/dovecot/dh.pem
+ssl_dh = </etc/ssl/local/dhparams-4096.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+#ssl_min_protocol = TLSv1
 
-# SSL protocols to use
-#ssl_protocols = !SSLv2
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
-# SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
diff --git a/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache
new file mode 100755
index 0000000..735c87f
--- /dev/null
+++ b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/apache
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+# vim: ai ts=4 sts=4 et sw=4
+
+/usr/bin/systemctl reload apache2
+
diff --git a/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot
new file mode 100755
index 0000000..bb5425e
--- /dev/null
+++ b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/dovecot
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+# vim: ai ts=4 sts=4 et sw=4
+
+/usr/bin/systemctl restart dovecot
+
diff --git a/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail
new file mode 100755
index 0000000..0bb1eca
--- /dev/null
+++ b/server/setup/05-service-settings/etc/letsencrypt/renewal-hooks/deploy/sendmail
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+# vim: ai ts=4 sts=4 et sw=4
+
+/usr/bin/systemctl restart sendmail
+
diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc
index 79f8a91..bc01d9a 100644
--- a/server/setup/05-service-settings/etc/mail/sendmail.mc
+++ b/server/setup/05-service-settings/etc/mail/sendmail.mc
@@ -129,18 +129,30 @@ dnl #     cd /usr/share/ssl/certs; make sendmail.pem
 dnl # Complete usage:
 dnl #     make -C /usr/share/ssl/certs usage
 dnl #
-define(`confCACERT_PATH', `/etc/ssl/certs')dnl
 define(`confDH_PARAMETERS',`/etc/ssl/local/dhparams-4096.pem')dnl
 dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
 dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
 dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
 dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
 dnl define(`confCACERT', `/etc/ssl/local/thawte-ca-cert5-20181102.pem')dnl
-define(`confCACERT', `/etc/ssl/local/jogamp2025a.org.ca.pem')dnl
-define(`confSERVER_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
-define(`confSERVER_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
-define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
-define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
+
+dnl define(`confCACERT_PATH', `/etc/ssl/certs')dnl
+dnl define(`confCACERT', `/etc/ssl/local/jogamp2025a.org.ca.pem')dnl
+dnl define(`confSERVER_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
+dnl define(`confSERVER_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
+dnl define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2025a.org.crt.pem')dnl
+dnl define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2025a.org.key.mail.pem')dnl
+
+define(`CERT_DIR', `/etc/letsencrypt/live/jogamp.org')
+define(`confCACERT_PATH', `CERT_DIR')
+define(`confCACERT', `CERT_DIR/fullchain.pem')
+define(`confSERVER_CERT', `CERT_DIR/cert.pem')
+define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
+define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
+define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')
+
+define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
+
 dnl #
 dnl define(`confTO_QUEUEWARN', `4h')dnl
 dnl define(`confTO_QUEUERETURN', `5d')dnl
-- 
cgit v1.2.3