HomeServer18A の履歴(No.3)

[ トップ ]   [ 新規 | 一覧 | 検索 | 最終更新 | ヘルプ ]

• 履歴一覧
• 差分 を表示
• 現在との差分 を表示
• ソース を表示
• HomeServer18A へ行く。
  • 1 (2019-07-14 (日) 01:59:11)
  • 2 (2019-07-26 (金) 22:19:52)
  • 3 (2019-07-27 (土) 00:14:50)

---

AWS 上で運用しているメールサーバーの証明書の更新を行った。

(参考) 今回失効する証明書†

[AWS] ubuntu:~/work$ openssl x509 -in /etc/ssl/certs/mail_hmuna_com.crt -noout -dates
notBefore=Jul 21 00:00:00 2016 GMT
notAfter=Sep 27 23:59:59 2019 GMT

発行は 2016/7/21 だが、何故か失効は 2019/9/27（3年と2ヶ月強）になっている。

証明書発行の手順†

• cs1-0700310.txt

  ------------------------------------------------------
  証明書情報
  ------------------------------------------------------
  証明書番号：cs1-0700310
  
  コモンネーム：mail.hmuna.com
  
  ＣＳＲ：
  -----BEGIN CERTIFICATE REQUEST-----
  MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREw
  DwYDVQQHDAhZb2tvaGFtYTERMA8GA1UECgwISVQgQWRtaW4xCzAJBgNVBAsMAklU
  MRcwFQYDVQQDDA5tYWlsLmhtdW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
  ADCCAQoCggEBAMlZTubDpZGOW8qk0rTFe1x0ixahykS3jnJ++cFZMvykEP8MD81j
  C5DwJHAqRQ5b4uB04HiBALofde7I78iHDPql2lovkTqNhTIvcjBb7yBLJt9n0k0/
  pdY2OCohSZUH1VoaYmcPXRuZpY++0Uow9mOUsi2z6sqIznZ0bEYC+Omcy56T9iKI
  wg0vSsxi5AJDhAmaWLd98T75jB2f9T/MCoSZLkUzKgh+sS172E2myQNxNP58U5HF
  5fINekljd6RchDK9WGWJqmJpKBB4RQfvlXwr+numgBlnamgP2DgTCivpPfX03zfw
  AyyxnL7CB5yZsjH+paCffTcKOGpaZbXwik0CAwEAAaAAMA0GCSqGSIb3DQEBCwUA
  A4IBAQBxrutKGVKPSYbsZk66jmdIq4VlkF8oeK9Iqsmt441aw1pNNSWaWVfyruN4
  oaf8qbPNFoEbBn4QicbJixO2/P39MuVmrNHPw4o4JOfSIixxuqoNw5zQW+d+YHoV
  0K6hYZVvsioO8a30FaN8AWEs48PXjfpdVe7XoTCtW/yePq9wXNTALXRpr6AyqaoN
  NontS/a7NlMcfu1FNzMprTi45AXVexlskWLY8lRylgE/rvYSfciKPM9fViSk2hJL
  RchQ+4rdUT83pGxOEZjr8ZXY049eCuZ437HInKP3uuhwVK2VkKgaPtWjfNAMaxlL
  VQ1KgYVehRsAsp8VD8DEn2G9owcN
  -----END CERTIFICATE REQUEST-----
  
  
  ------------------------------------------------------
  ドメイン使用権確認
  ------------------------------------------------------
  
  確認方法：email
  ※email:メール認証、http:ファイル認証、cname:DNS認証
  
  承認メールアドレス：admin@hmuna.com
  ※認証方式がファイル認証の場合、この項目は表示されません。
  
  ------------------------------------------------------
  その他
  ------------------------------------------------------
  
  証明書送付先：public_mail@hmuna.com

証明書の購入†

証明書発行会社の名前が から "SSLストア" に変更になったようだ。

• 

Keyファイル と CSR ファイルの対応関係の確認（CSR の発行に使った key ファイルであることの確認）†

• 秘密鍵の module 情報 [AWS] ubuntu:~/.ssh/work$ sudo openssl rsa -in .key -text Private-Key: (2048 bit) modulus:

     00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad:
     6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42:
     fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05:
     e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51:
     1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc:
     1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47:
     e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd:
     d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28:
     a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb:
     c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb:
     8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce:
     f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3:
     ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8:
     fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d:
     fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2:
     e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee:
     c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81:
     74:8d

  publicExponent: 65537 (0x10001)

• CSR (証明書リクエスト) ファイルの module 情報

  [AWS] ubuntu:~/.ssh/work$ sudo openssl req -in .csr -text
  Certificate Request:
      Data:
          Version: 0 (0x0)
          Subject: C=JP, ST=Kanagawa, L=YOKOHAMA, O=IT admin, OU=IT, CN=mail.hmuna.com
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  Public-Key: (2048 bit)
                  Modulus:
                      00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad:
                      6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42:
                      fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05:
                      e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51:
                      1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc:
                      1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47:
                      e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd:
                      d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28:
                      a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb:
                      c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb:
                      8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce:
                      f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3:
                      ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8:
                      fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d:
                      fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2:
                      e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee:
                      c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81:
                      74:8d
                  Exponent: 65537 (0x10001)
          Attributes:
              a0:00

• key ファイル = mail_hmuna_com_20190705.key
• csr ファイル ＝ mail_hmuna_com_20190705.csr

発行された証明書†

• mail_hmuna_com.zip
  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - USERTrustRSAAddTrustCA.crt
  • Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - mail_hmuna_com.crt

[AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -dates
notBefore=Jul  5 00:00:00 2019 GMT
notAfter=Aug  4 23:59:59 2021 GMT
[AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -subject
subject= /OU=Domain Control Validated/CN=mail.hmuna.com

• Positive SSL trusted logo (free)

AWS 上のメールサーバーに必要なファイルをコピー†

• ssh を使ったメールサーバー接続
  • ssh -i (秘密鍵) ubuntu@(公開DNS名)
    • 秘密鍵 : magu-tokyo-messenger.pem
    • アカウント : ubuntu
    • 接続先 : ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com

• scp を使って証明書ファイルを AWS サーバーにアップロード
  • scp -i (秘密鍵) (転送ファイル名) ubuntu@(公開DN名):~ ← 最後のコロン+にょろ　が重要

• scp を使ってマージされた中間証明書を AWS サーバーからダウンロードhttps://kgb.hmuna.com/index.php?cmd=edit&page=HomeServer18A

  munakata@muna-E450:~/mail_cert_wk$ scp -i magu-tokyo-messenger.pem ubuntu@ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com:/etc/ssl/official_m3/ssl-bundle.crt ./ 

• サイト証明書 と 中間証明書 をマージ
  • ssl-bundle.crt

    [AWS] ubuntu:~/work$ cat mail_hmuna_com.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

  • Certificate Installation (Dovecot + Exim)
  • Dovecot SSL configuration

• key ファイルの入手

AWS 上の dovecot の（証明書更新前の）設定情報を確認†

• セキュリティ設定がきつく、sudo のサブシェル内でしかファイルの中を見ることができない

  [AWS] ubuntu:/etc$ sudo sh -c "cd ./dovecot; doveconf -n"
  # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
  # Pigeonhole version 0.4.13 (7b14904)
  # OS: Linux 4.4.0-1087-aws x86_64 Ubuntu 16.04.6 LTS ext4
  auth_mechanisms = plain login
  first_valid_uid = 150
  last_valid_uid = 150
  mail_gid = mail
  mail_location = maildir:/var/vmail/%d/%n
  mail_uid = vmail
  namespace inbox {
    inbox = yes
    location =
    mailbox Drafts {
      special_use = \Drafts
    }
    mailbox Junk {
      special_use = \Junk
    }
    mailbox Sent {
      special_use = \Sent
    }
    mailbox "Sent Messages" {
      special_use = \Sent
    }
    mailbox Trash {
      special_use = \Trash
    }
    prefix =
  }
  passdb {
    args = /etc/dovecot/dovecot-sql.conf.ext
    driver = sql
  }
  postmaster_address = mail-admin@hmuna.com
  protocols = " imap pop3"
  service auth {
    unix_listener /var/spool/postfix/private/auth {
      group = postfix
      mode = 0666
      user = postfix
    }
    unix_listener auth-userdb {
      group = mail
      mode = 0666
      user = vmail
    }
  }
  ssl_ca = </etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle  <----------------------------
  ssl_cert = </etc/ssl/certs/mail_hmuna_com.crt  <------------------------------------------
  ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  ssl_dh_parameters_length = 2048
  ssl_key = </etc/ssl/private/mail_hmuna.key  <---------------------------------------------
  ssl_prefer_server_ciphers = yes
  ssl_protocols = !SSLv2 !SSLv3
  userdb {
    args = /etc/dovecot/dovecot-sql.conf.ext
    driver = sql
  }
  [AWS] ubuntu:/etc$

AWS サーバー上の証明書の更新†

上記の現状の dovecot の設定を生かすため、ファイル名と配置場所を合わせる（＝元のままとする）ように設定する

• bundle ファイルから mail.hmuna.com の単独証明書をきりはなす (bundle ファイルを作り直す)
• 秘密鍵（/etc/ssl/offocial_m3/mail_hmuna_com_20190705.key）→ /etc/ssl/private/mail_hmuna.key
• サーバー証明書（/etc/ssl/offocial_m3/mail_hmuna_com.csr）→ /etc/ssl/private/mail_hmuna.key
• 中間証明所（/etc/ssl/offocial_m3/ssl-bundle.crt）→ /etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle

dovecot サーバー再起動†

[AWS] ubuntu:~$ sudo service postfix stop
[AWS] ubuntu:~$ sudo service dovecot stop
[AWS] ubuntu:~$ sudo service postfix start 
[AWS] ubuntu:~$ sudo service dovecot start

[AWS] ubuntu:~$ systemctl status dovecot.service
???ovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-07-27 09:12:20 JST; 10s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 30118 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
  Process: 31311 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
 Main PID: 31314 (dovecot)
    Tasks: 6
   Memory: 3.4M
      CPU: 28ms
   CGroup: /system.slice/dovecot.service
           ??31314 /usr/sbin/dovecot
           ??31315 dovecot/anvil
           ??31316 dovecot/log
           ??31318 dovecot/config
           ??31321 dovecot/auth
           ??31322 dovecot/auth -w

Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Starting Dovecot IMAP/POP3 email server...
Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: dovecot.service: PID file /var/run/dovecot/master.pid not readable (yet?) after st
Jul 27 09:12:20 ip-172-31-26-13 dovecot[31314]: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disab
Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Started Dovecot IMAP/POP3 email server.

     

Site admin: munakata

PukiWiki 1.5.4 © 2001-2022 PukiWiki Development Team. Powered by PHP 8.3.6. HTML convert time: 0.004 sec.