#author("2019-08-31T08:27:24+09:00","","")
#contents()
AWS 上で運用しているメールサーバーの証明書の更新を行った。
*** (参考) 今回失効する証明書 [#s109f6aa]
[AWS] ubuntu:~/work$ openssl x509 -in /etc/ssl/certs/mail_hmuna_com.crt -noout -dates
notBefore=Jul 21 00:00:00 2016 GMT
notAfter=Sep 27 23:59:59 2019 GMT
発行は 2016/7/21 だが、&color(red){何故か失効は 2019/9/27(3年と2ヶ月強)};になっている。
*** 証明書発行の手順 [#l2e2f7a9]
- &ref(cs1-0700310.txt);
------------------------------------------------------
証明書情報
------------------------------------------------------
証明書番号:cs1-0700310
コモンネーム:mail.hmuna.com
CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREw
DwYDVQQHDAhZb2tvaGFtYTERMA8GA1UECgwISVQgQWRtaW4xCzAJBgNVBAsMAklU
MRcwFQYDVQQDDA5tYWlsLmhtdW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMlZTubDpZGOW8qk0rTFe1x0ixahykS3jnJ++cFZMvykEP8MD81j
C5DwJHAqRQ5b4uB04HiBALofde7I78iHDPql2lovkTqNhTIvcjBb7yBLJt9n0k0/
pdY2OCohSZUH1VoaYmcPXRuZpY++0Uow9mOUsi2z6sqIznZ0bEYC+Omcy56T9iKI
wg0vSsxi5AJDhAmaWLd98T75jB2f9T/MCoSZLkUzKgh+sS172E2myQNxNP58U5HF
5fINekljd6RchDK9WGWJqmJpKBB4RQfvlXwr+numgBlnamgP2DgTCivpPfX03zfw
AyyxnL7CB5yZsjH+paCffTcKOGpaZbXwik0CAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4IBAQBxrutKGVKPSYbsZk66jmdIq4VlkF8oeK9Iqsmt441aw1pNNSWaWVfyruN4
oaf8qbPNFoEbBn4QicbJixO2/P39MuVmrNHPw4o4JOfSIixxuqoNw5zQW+d+YHoV
0K6hYZVvsioO8a30FaN8AWEs48PXjfpdVe7XoTCtW/yePq9wXNTALXRpr6AyqaoN
NontS/a7NlMcfu1FNzMprTi45AXVexlskWLY8lRylgE/rvYSfciKPM9fViSk2hJL
RchQ+4rdUT83pGxOEZjr8ZXY049eCuZ437HInKP3uuhwVK2VkKgaPtWjfNAMaxlL
VQ1KgYVehRsAsp8VD8DEn2G9owcN
-----END CERTIFICATE REQUEST-----
------------------------------------------------------
ドメイン使用権確認
------------------------------------------------------
確認方法:email
※email:メール認証、http:ファイル認証、cname:DNS認証
承認メールアドレス:admin@hmuna.com
※認証方式がファイル認証の場合、この項目は表示されません。
------------------------------------------------------
その他
------------------------------------------------------
証明書送付先:public_mail@hmuna.com
*** 証明書の購入 [#ye9b9589]
証明書発行会社の名前が から [["SSLストア":https://www.ssl-store.jp/]] に変更になったようだ。
- &ref(20190714_state.jpg);
*** Keyファイル と CSR ファイルの対応関係の確認(CSR の発行に使った key ファイルであることの確認) [#zd7bd9bb]
- 秘密鍵の module 情報
[AWS] ubuntu:~/.ssh/work$ sudo openssl rsa -in .key -text
Private-Key: (2048 bit)
modulus:
00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad:
6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42:
fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05:
e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51:
1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc:
1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47:
e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd:
d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28:
a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb:
c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb:
8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce:
f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3:
ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8:
fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d:
fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2:
e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee:
c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81:
74:8d
publicExponent: 65537 (0x10001)
- CSR (証明書リクエスト) ファイルの module 情報
[AWS] ubuntu:~/.ssh/work$ sudo openssl req -in .csr -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=YOKOHAMA, O=IT admin, OU=IT, CN=mail.hmuna.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad:
6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42:
fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05:
e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51:
1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc:
1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47:
e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd:
d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28:
a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb:
c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb:
8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce:
f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3:
ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8:
fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d:
fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2:
e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee:
c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81:
74:8d
Exponent: 65537 (0x10001)
Attributes:
a0:00
- key ファイル = &ref(mail_hmuna_com_20190705.key);
- csr ファイル = &ref(mail_hmuna_com_20190705.csr);
*** 発行された証明書 [#f838ebf2]
- &ref(mail_hmuna_com.zip);
-- Root CA Certificate - AddTrustExternalCARoot.crt
-- Intermediate CA Certificate - USERTrustRSAAddTrustCA.crt
-- Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
-- Your PositiveSSL Certificate - mail_hmuna_com.crt
[AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -dates
notBefore=Jul 5 00:00:00 2019 GMT
notAfter=Aug 4 23:59:59 2021 GMT
[AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -subject
subject= /OU=Domain Control Validated/CN=mail.hmuna.com
- [[Positive SSL trusted logo (free):https://www.positivessl.com/the-positivessl-trustlogo]]
*** 発行された証明書の内容確認 &color(red){module 情報が keyファイル、CSRファイルの内容と一致しない!}; [#l1c114c4]
[AWS] ubuntu:~/.ssh/work$ openssl x509 -text < /etc/ssl/official_m3/mail_hmuna_com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:94:c2:22:45:c3:93:40:ec:f0:73:35:be:18:73:ac
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Validity
Not Before: Jul 5 00:00:00 2019 GMT
Not After : Aug 4 23:59:59 2021 GMT
Subject: OU=Domain Control Validated, CN=mail.hmuna.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:59:4e:e6:c3:a5:91:8e:5b:ca:a4:d2:b4:c5:
7b:5c:74:8b:16:a1:ca:44:b7:8e:72:7e:f9:c1:59:
32:fc:a4:10:ff:0c:0f:cd:63:0b:90:f0:24:70:2a:
45:0e:5b:e2:e0:74:e0:78:81:00:ba:1f:75:ee:c8:
ef:c8:87:0c:fa:a5:da:5a:2f:91:3a:8d:85:32:2f:
72:30:5b:ef:20:4b:26:df:67:d2:4d:3f:a5:d6:36:
38:2a:21:49:95:07:d5:5a:1a:62:67:0f:5d:1b:99:
a5:8f:be:d1:4a:30:f6:63:94:b2:2d:b3:ea:ca:88:
ce:76:74:6c:46:02:f8:e9:9c:cb:9e:93:f6:22:88:
c2:0d:2f:4a:cc:62:e4:02:43:84:09:9a:58:b7:7d:
f1:3e:f9:8c:1d:9f:f5:3f:cc:0a:84:99:2e:45:33:
2a:08:7e:b1:2d:7b:d8:4d:a6:c9:03:71:34:fe:7c:
53:91:c5:e5:f2:0d:7a:49:63:77:a4:5c:84:32:bd:
58:65:89:aa:62:69:28:10:78:45:07:ef:95:7c:2b:
fa:7b:a6:80:19:67:6a:68:0f:d8:38:13:0a:2b:e9:
3d:f5:f4:df:37:f0:03:2c:b1:9c:be:c2:07:9c:99:
b2:31:fe:a5:a0:9f:7d:37:0a:38:6a:5a:65:b5:f0:
8a:4d
Exponent: 65537 (0x10001)
*** AWS 上のメールサーバーに必要なファイルをコピー [#k7495a32]
- ssh を使ったメールサーバー接続
-- ssh -i (秘密鍵) ubuntu@(公開DNS名)
--- 秘密鍵 : &ref(magu-tokyo-messenger.pem);
--- アカウント : ubuntu
--- 接続先 : ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com
- scp を使って証明書ファイルを AWS サーバーにアップロード
-- scp -i (秘密鍵) (転送ファイル名) ubuntu@(公開DN名)&color(red){:~}; ← 最後のコロン+にょろ が重要
- scp を使ってマージされた中間証明書を AWS サーバーからダウンロードhttps://kgb.hmuna.com/index.php?cmd=edit&page=HomeServer18A
munakata@muna-E450:~/mail_cert_wk$ scp -i magu-tokyo-messenger.pem ubuntu@ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com:/etc/ssl/official_m3/ssl-bundle.crt ./
- サイト証明書 と 中間証明書 をマージ
-- &ref(ssl-bundle.crt);
[AWS] ubuntu:~/work$ cat mail_hmuna_com.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
-- [[Certificate Installation (Dovecot + Exim):https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFJE]]
-- [[Dovecot SSL configuration:https://wiki.dovecot.org/SSL/DovecotConfiguration]]
- key ファイルの入手
*** AWS 上の dovecot の(証明書更新前の)設定情報を確認 [#rbc3a343]
- セキュリティ設定がきつく、sudo のサブシェル内でしかファイルの中を見ることができない
[AWS] ubuntu:/etc$ sudo sh -c "cd ./dovecot; doveconf -n"
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-1087-aws x86_64 Ubuntu 16.04.6 LTS ext4
auth_mechanisms = plain login
first_valid_uid = 150
last_valid_uid = 150
mail_gid = mail
mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = mail-admin@hmuna.com
protocols = " imap pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = mail
mode = 0666
user = vmail
}
}
ssl_ca = </etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle <----------------------------
ssl_cert = </etc/ssl/certs/mail_hmuna_com.crt <------------------------------------------
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/mail_hmuna.key <---------------------------------------------
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
[AWS] ubuntu:/etc$
*** AWS サーバー上の証明書の更新 [#pebbe393]
&color(red){上記の現状の dovecot の設定を生かすため、ファイル名と配置場所を合わせる(=元のままとする)ように設定する};
- bundle ファイルから mail.hmuna.com の単独証明書をきりはなす (bundle ファイルを作り直す)
- 秘密鍵(/etc/ssl/offocial_m3/mail_hmuna_com_20190705.key)→ /etc/ssl/private/mail_hmuna.key
- サーバー証明書(/etc/ssl/offocial_m3/mail_hmuna_com.csr)→ /etc/ssl/private/mail_hmuna.key
- 中間証明所(/etc/ssl/offocial_m3/ssl-bundle.crt)→ /etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle
*** dovecot サーバー再起動 [#i9c1f17d]
[AWS] ubuntu:~$ sudo service postfix stop
[AWS] ubuntu:~$ sudo service dovecot stop
[AWS] ubuntu:~$ sudo service postfix start
[AWS] ubuntu:~$ sudo service dovecot start
[AWS] ubuntu:~$ systemctl status dovecot.service
???ovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2019-07-27 09:12:20 JST; 10s ago
Docs: man:dovecot(1)
http://wiki2.dovecot.org/
Process: 30118 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
Process: 31311 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
Main PID: 31314 (dovecot)
Tasks: 6
Memory: 3.4M
CPU: 28ms
CGroup: /system.slice/dovecot.service
??31314 /usr/sbin/dovecot
??31315 dovecot/anvil
??31316 dovecot/log
??31318 dovecot/config
??31321 dovecot/auth
??31322 dovecot/auth -w
Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Starting Dovecot IMAP/POP3 email server...
Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: dovecot.service: PID file /var/run/dovecot/master.pid not readable (yet?) after st
Jul 27 09:12:20 ip-172-31-26-13 dovecot[31314]: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disab
Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Started Dovecot IMAP/POP3 email server.
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
