HomeServer18A
の編集
index.php?HomeServer18A
[
トップ
] [
編集
|
差分
|
履歴
|
添付
|
リロード
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
]
-- 雛形とするページ --
(no template pages)
#contents() AWS 上で運用しているメールサーバーの証明書の更新を行った。 *** (参考) 今回失効する証明書 [#s109f6aa] [AWS] ubuntu:~/work$ openssl x509 -in /etc/ssl/certs/mail_hmuna_com.crt -noout -dates notBefore=Jul 21 00:00:00 2016 GMT notAfter=Sep 27 23:59:59 2019 GMT 発行は 2016/7/21 だが、&color(red){何故か失効は 2019/9/27(3年と2ヶ月強)};になっている。 *** 証明書発行の手順 [#l2e2f7a9] - &ref(cs1-0700310.txt); ------------------------------------------------------ 証明書情報 ------------------------------------------------------ 証明書番号:cs1-0700310 コモンネーム:mail.hmuna.com CSR: -----BEGIN CERTIFICATE REQUEST----- MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREw DwYDVQQHDAhZb2tvaGFtYTERMA8GA1UECgwISVQgQWRtaW4xCzAJBgNVBAsMAklU MRcwFQYDVQQDDA5tYWlsLmhtdW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMlZTubDpZGOW8qk0rTFe1x0ixahykS3jnJ++cFZMvykEP8MD81j C5DwJHAqRQ5b4uB04HiBALofde7I78iHDPql2lovkTqNhTIvcjBb7yBLJt9n0k0/ pdY2OCohSZUH1VoaYmcPXRuZpY++0Uow9mOUsi2z6sqIznZ0bEYC+Omcy56T9iKI wg0vSsxi5AJDhAmaWLd98T75jB2f9T/MCoSZLkUzKgh+sS172E2myQNxNP58U5HF 5fINekljd6RchDK9WGWJqmJpKBB4RQfvlXwr+numgBlnamgP2DgTCivpPfX03zfw AyyxnL7CB5yZsjH+paCffTcKOGpaZbXwik0CAwEAAaAAMA0GCSqGSIb3DQEBCwUA A4IBAQBxrutKGVKPSYbsZk66jmdIq4VlkF8oeK9Iqsmt441aw1pNNSWaWVfyruN4 oaf8qbPNFoEbBn4QicbJixO2/P39MuVmrNHPw4o4JOfSIixxuqoNw5zQW+d+YHoV 0K6hYZVvsioO8a30FaN8AWEs48PXjfpdVe7XoTCtW/yePq9wXNTALXRpr6AyqaoN NontS/a7NlMcfu1FNzMprTi45AXVexlskWLY8lRylgE/rvYSfciKPM9fViSk2hJL RchQ+4rdUT83pGxOEZjr8ZXY049eCuZ437HInKP3uuhwVK2VkKgaPtWjfNAMaxlL VQ1KgYVehRsAsp8VD8DEn2G9owcN -----END CERTIFICATE REQUEST----- ------------------------------------------------------ ドメイン使用権確認 ------------------------------------------------------ 確認方法:email ※email:メール認証、http:ファイル認証、cname:DNS認証 承認メールアドレス:admin@hmuna.com ※認証方式がファイル認証の場合、この項目は表示されません。 ------------------------------------------------------ その他 ------------------------------------------------------ 証明書送付先:public_mail@hmuna.com *** 証明書の購入 [#ye9b9589] 証明書発行会社の名前が から [["SSLストア":https://www.ssl-store.jp/]] に変更になったようだ。 - &ref(20190714_state.jpg); *** Keyファイル と CSR ファイルの対応関係の確認(CSR の発行に使った key ファイルであることの確認) [#zd7bd9bb] - 秘密鍵の module 情報 [AWS] ubuntu:~/.ssh/work$ sudo openssl rsa -in .key -text Private-Key: (2048 bit) modulus: 00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad: 6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42: fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05: e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51: 1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc: 1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47: e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd: d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28: a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb: c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb: 8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce: f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3: ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8: fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d: fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2: e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee: c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81: 74:8d publicExponent: 65537 (0x10001) - CSR (証明書リクエスト) ファイルの module 情報 [AWS] ubuntu:~/.ssh/work$ sudo openssl req -in .csr -text Certificate Request: Data: Version: 0 (0x0) Subject: C=JP, ST=Kanagawa, L=YOKOHAMA, O=IT admin, OU=IT, CN=mail.hmuna.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad: 6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42: fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05: e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51: 1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc: 1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47: e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd: d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28: a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb: c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb: 8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce: f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3: ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8: fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d: fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2: e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee: c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81: 74:8d Exponent: 65537 (0x10001) Attributes: a0:00 - key ファイル = &ref(mail_hmuna_com_20190705.key); - csr ファイル = &ref(mail_hmuna_com_20190705.csr); *** 発行された証明書 [#f838ebf2] - &ref(mail_hmuna_com.zip); -- Root CA Certificate - AddTrustExternalCARoot.crt -- Intermediate CA Certificate - USERTrustRSAAddTrustCA.crt -- Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt -- Your PositiveSSL Certificate - mail_hmuna_com.crt [AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -dates notBefore=Jul 5 00:00:00 2019 GMT notAfter=Aug 4 23:59:59 2021 GMT [AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -subject subject= /OU=Domain Control Validated/CN=mail.hmuna.com - [[Positive SSL trusted logo (free):https://www.positivessl.com/the-positivessl-trustlogo]] *** 発行された証明書の内容確認 &color(red){module 情報が keyファイル、CSRファイルの内容と一致しない!}; [#l1c114c4] [AWS] ubuntu:~/.ssh/work$ openssl x509 -text < /etc/ssl/official_m3/mail_hmuna_com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 6d:94:c2:22:45:c3:93:40:ec:f0:73:35:be:18:73:ac Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA Validity Not Before: Jul 5 00:00:00 2019 GMT Not After : Aug 4 23:59:59 2021 GMT Subject: OU=Domain Control Validated, CN=mail.hmuna.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:59:4e:e6:c3:a5:91:8e:5b:ca:a4:d2:b4:c5: 7b:5c:74:8b:16:a1:ca:44:b7:8e:72:7e:f9:c1:59: 32:fc:a4:10:ff:0c:0f:cd:63:0b:90:f0:24:70:2a: 45:0e:5b:e2:e0:74:e0:78:81:00:ba:1f:75:ee:c8: ef:c8:87:0c:fa:a5:da:5a:2f:91:3a:8d:85:32:2f: 72:30:5b:ef:20:4b:26:df:67:d2:4d:3f:a5:d6:36: 38:2a:21:49:95:07:d5:5a:1a:62:67:0f:5d:1b:99: a5:8f:be:d1:4a:30:f6:63:94:b2:2d:b3:ea:ca:88: ce:76:74:6c:46:02:f8:e9:9c:cb:9e:93:f6:22:88: c2:0d:2f:4a:cc:62:e4:02:43:84:09:9a:58:b7:7d: f1:3e:f9:8c:1d:9f:f5:3f:cc:0a:84:99:2e:45:33: 2a:08:7e:b1:2d:7b:d8:4d:a6:c9:03:71:34:fe:7c: 53:91:c5:e5:f2:0d:7a:49:63:77:a4:5c:84:32:bd: 58:65:89:aa:62:69:28:10:78:45:07:ef:95:7c:2b: fa:7b:a6:80:19:67:6a:68:0f:d8:38:13:0a:2b:e9: 3d:f5:f4:df:37:f0:03:2c:b1:9c:be:c2:07:9c:99: b2:31:fe:a5:a0:9f:7d:37:0a:38:6a:5a:65:b5:f0: 8a:4d Exponent: 65537 (0x10001) *** AWS 上のメールサーバーに必要なファイルをコピー [#k7495a32] - ssh を使ったメールサーバー接続 -- ssh -i (秘密鍵) ubuntu@(公開DNS名) --- 秘密鍵 : &ref(magu-tokyo-messenger.pem); --- アカウント : ubuntu --- 接続先 : ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com - scp を使って証明書ファイルを AWS サーバーにアップロード -- scp -i (秘密鍵) (転送ファイル名) ubuntu@(公開DN名)&color(red){:~}; ← 最後のコロン+にょろ が重要 - scp を使ってマージされた中間証明書を AWS サーバーからダウンロードhttps://kgb.hmuna.com/index.php?cmd=edit&page=HomeServer18A munakata@muna-E450:~/mail_cert_wk$ scp -i magu-tokyo-messenger.pem ubuntu@ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com:/etc/ssl/official_m3/ssl-bundle.crt ./ - サイト証明書 と 中間証明書 をマージ -- &ref(ssl-bundle.crt); [AWS] ubuntu:~/work$ cat mail_hmuna_com.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt -- [[Certificate Installation (Dovecot + Exim):https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFJE]] -- [[Dovecot SSL configuration:https://wiki.dovecot.org/SSL/DovecotConfiguration]] - key ファイルの入手 *** AWS 上の dovecot の(証明書更新前の)設定情報を確認 [#rbc3a343] - セキュリティ設定がきつく、sudo のサブシェル内でしかファイルの中を見ることができない [AWS] ubuntu:/etc$ sudo sh -c "cd ./dovecot; doveconf -n" # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-1087-aws x86_64 Ubuntu 16.04.6 LTS ext4 auth_mechanisms = plain login first_valid_uid = 150 last_valid_uid = 150 mail_gid = mail mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } postmaster_address = mail-admin@hmuna.com protocols = " imap pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = mail mode = 0666 user = vmail } } ssl_ca = </etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle <---------------------------- ssl_cert = </etc/ssl/certs/mail_hmuna_com.crt <------------------------------------------ ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/mail_hmuna.key <--------------------------------------------- ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } [AWS] ubuntu:/etc$ *** AWS サーバー上の証明書の更新 [#pebbe393] &color(red){上記の現状の dovecot の設定を生かすため、ファイル名と配置場所を合わせる(=元のままとする)ように設定する}; - bundle ファイルから mail.hmuna.com の単独証明書をきりはなす (bundle ファイルを作り直す) - 秘密鍵(/etc/ssl/offocial_m3/mail_hmuna_com_20190705.key)→ /etc/ssl/private/mail_hmuna.key - サーバー証明書(/etc/ssl/offocial_m3/mail_hmuna_com.csr)→ /etc/ssl/private/mail_hmuna.key - 中間証明所(/etc/ssl/offocial_m3/ssl-bundle.crt)→ /etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle *** dovecot サーバー再起動 [#i9c1f17d] [AWS] ubuntu:~$ sudo service postfix stop [AWS] ubuntu:~$ sudo service dovecot stop [AWS] ubuntu:~$ sudo service postfix start [AWS] ubuntu:~$ sudo service dovecot start [AWS] ubuntu:~$ systemctl status dovecot.service ???ovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2019-07-27 09:12:20 JST; 10s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 30118 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS) Process: 31311 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 31314 (dovecot) Tasks: 6 Memory: 3.4M CPU: 28ms CGroup: /system.slice/dovecot.service ??31314 /usr/sbin/dovecot ??31315 dovecot/anvil ??31316 dovecot/log ??31318 dovecot/config ??31321 dovecot/auth ??31322 dovecot/auth -w Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Starting Dovecot IMAP/POP3 email server... Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: dovecot.service: PID file /var/run/dovecot/master.pid not readable (yet?) after st Jul 27 09:12:20 ip-172-31-26-13 dovecot[31314]: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disab Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Started Dovecot IMAP/POP3 email server.
タイムスタンプを変更しない
#contents() AWS 上で運用しているメールサーバーの証明書の更新を行った。 *** (参考) 今回失効する証明書 [#s109f6aa] [AWS] ubuntu:~/work$ openssl x509 -in /etc/ssl/certs/mail_hmuna_com.crt -noout -dates notBefore=Jul 21 00:00:00 2016 GMT notAfter=Sep 27 23:59:59 2019 GMT 発行は 2016/7/21 だが、&color(red){何故か失効は 2019/9/27(3年と2ヶ月強)};になっている。 *** 証明書発行の手順 [#l2e2f7a9] - &ref(cs1-0700310.txt); ------------------------------------------------------ 証明書情報 ------------------------------------------------------ 証明書番号:cs1-0700310 コモンネーム:mail.hmuna.com CSR: -----BEGIN CERTIFICATE REQUEST----- MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREw DwYDVQQHDAhZb2tvaGFtYTERMA8GA1UECgwISVQgQWRtaW4xCzAJBgNVBAsMAklU MRcwFQYDVQQDDA5tYWlsLmhtdW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMlZTubDpZGOW8qk0rTFe1x0ixahykS3jnJ++cFZMvykEP8MD81j C5DwJHAqRQ5b4uB04HiBALofde7I78iHDPql2lovkTqNhTIvcjBb7yBLJt9n0k0/ pdY2OCohSZUH1VoaYmcPXRuZpY++0Uow9mOUsi2z6sqIznZ0bEYC+Omcy56T9iKI wg0vSsxi5AJDhAmaWLd98T75jB2f9T/MCoSZLkUzKgh+sS172E2myQNxNP58U5HF 5fINekljd6RchDK9WGWJqmJpKBB4RQfvlXwr+numgBlnamgP2DgTCivpPfX03zfw AyyxnL7CB5yZsjH+paCffTcKOGpaZbXwik0CAwEAAaAAMA0GCSqGSIb3DQEBCwUA A4IBAQBxrutKGVKPSYbsZk66jmdIq4VlkF8oeK9Iqsmt441aw1pNNSWaWVfyruN4 oaf8qbPNFoEbBn4QicbJixO2/P39MuVmrNHPw4o4JOfSIixxuqoNw5zQW+d+YHoV 0K6hYZVvsioO8a30FaN8AWEs48PXjfpdVe7XoTCtW/yePq9wXNTALXRpr6AyqaoN NontS/a7NlMcfu1FNzMprTi45AXVexlskWLY8lRylgE/rvYSfciKPM9fViSk2hJL RchQ+4rdUT83pGxOEZjr8ZXY049eCuZ437HInKP3uuhwVK2VkKgaPtWjfNAMaxlL VQ1KgYVehRsAsp8VD8DEn2G9owcN -----END CERTIFICATE REQUEST----- ------------------------------------------------------ ドメイン使用権確認 ------------------------------------------------------ 確認方法:email ※email:メール認証、http:ファイル認証、cname:DNS認証 承認メールアドレス:admin@hmuna.com ※認証方式がファイル認証の場合、この項目は表示されません。 ------------------------------------------------------ その他 ------------------------------------------------------ 証明書送付先:public_mail@hmuna.com *** 証明書の購入 [#ye9b9589] 証明書発行会社の名前が から [["SSLストア":https://www.ssl-store.jp/]] に変更になったようだ。 - &ref(20190714_state.jpg); *** Keyファイル と CSR ファイルの対応関係の確認(CSR の発行に使った key ファイルであることの確認) [#zd7bd9bb] - 秘密鍵の module 情報 [AWS] ubuntu:~/.ssh/work$ sudo openssl rsa -in .key -text Private-Key: (2048 bit) modulus: 00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad: 6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42: fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05: e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51: 1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc: 1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47: e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd: d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28: a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb: c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb: 8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce: f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3: ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8: fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d: fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2: e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee: c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81: 74:8d publicExponent: 65537 (0x10001) - CSR (証明書リクエスト) ファイルの module 情報 [AWS] ubuntu:~/.ssh/work$ sudo openssl req -in .csr -text Certificate Request: Data: Version: 0 (0x0) Subject: C=JP, ST=Kanagawa, L=YOKOHAMA, O=IT admin, OU=IT, CN=mail.hmuna.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:c7:f2:73:e9:59:4d:60:0f:29:e0:7c:58:ad: 6d:3f:e7:f6:6f:42:d6:22:7b:da:01:ee:76:75:42: fa:a0:3f:6a:6c:1c:b9:b6:bf:90:d7:c3:15:6b:05: e5:22:4f:29:0b:17:4e:b5:a4:5c:32:40:10:ed:51: 1a:70:89:39:80:9c:6f:49:1c:99:61:25:39:f0:dc: 1a:03:6e:1f:1a:26:1a:f4:32:10:af:b0:31:fb:47: e4:9b:33:5a:a4:6f:36:64:ad:c3:c4:e6:8a:75:bd: d0:5a:5e:74:41:36:00:ce:7b:c7:55:88:64:ac:28: a6:90:34:70:ae:22:bf:67:82:97:7a:20:63:06:fb: c5:46:01:fe:47:e7:f5:d7:9b:34:e3:40:03:f3:fb: 8b:1e:84:ec:39:e0:ba:b7:28:cc:58:9b:70:5e:ce: f6:8e:23:93:45:05:57:dd:76:05:5e:6d:f9:67:f3: ea:73:3e:f7:f5:72:6f:44:01:c3:36:fd:08:82:c8: fb:cd:da:a6:ae:4a:7f:72:4e:c9:16:f6:be:83:5d: fb:2a:fa:0a:d0:fe:e0:e0:ac:38:97:b4:6a:59:b2: e6:58:77:12:0f:3a:f3:90:bb:7c:c4:bf:e9:60:ee: c5:a3:61:7e:64:a5:58:5d:bd:62:8b:21:0c:9c:81: 74:8d Exponent: 65537 (0x10001) Attributes: a0:00 - key ファイル = &ref(mail_hmuna_com_20190705.key); - csr ファイル = &ref(mail_hmuna_com_20190705.csr); *** 発行された証明書 [#f838ebf2] - &ref(mail_hmuna_com.zip); -- Root CA Certificate - AddTrustExternalCARoot.crt -- Intermediate CA Certificate - USERTrustRSAAddTrustCA.crt -- Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt -- Your PositiveSSL Certificate - mail_hmuna_com.crt [AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -dates notBefore=Jul 5 00:00:00 2019 GMT notAfter=Aug 4 23:59:59 2021 GMT [AWS] ubuntu:~/work$ openssl x509 -in mail_hmuna_com.crt -noout -subject subject= /OU=Domain Control Validated/CN=mail.hmuna.com - [[Positive SSL trusted logo (free):https://www.positivessl.com/the-positivessl-trustlogo]] *** 発行された証明書の内容確認 &color(red){module 情報が keyファイル、CSRファイルの内容と一致しない!}; [#l1c114c4] [AWS] ubuntu:~/.ssh/work$ openssl x509 -text < /etc/ssl/official_m3/mail_hmuna_com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 6d:94:c2:22:45:c3:93:40:ec:f0:73:35:be:18:73:ac Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA Validity Not Before: Jul 5 00:00:00 2019 GMT Not After : Aug 4 23:59:59 2021 GMT Subject: OU=Domain Control Validated, CN=mail.hmuna.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:59:4e:e6:c3:a5:91:8e:5b:ca:a4:d2:b4:c5: 7b:5c:74:8b:16:a1:ca:44:b7:8e:72:7e:f9:c1:59: 32:fc:a4:10:ff:0c:0f:cd:63:0b:90:f0:24:70:2a: 45:0e:5b:e2:e0:74:e0:78:81:00:ba:1f:75:ee:c8: ef:c8:87:0c:fa:a5:da:5a:2f:91:3a:8d:85:32:2f: 72:30:5b:ef:20:4b:26:df:67:d2:4d:3f:a5:d6:36: 38:2a:21:49:95:07:d5:5a:1a:62:67:0f:5d:1b:99: a5:8f:be:d1:4a:30:f6:63:94:b2:2d:b3:ea:ca:88: ce:76:74:6c:46:02:f8:e9:9c:cb:9e:93:f6:22:88: c2:0d:2f:4a:cc:62:e4:02:43:84:09:9a:58:b7:7d: f1:3e:f9:8c:1d:9f:f5:3f:cc:0a:84:99:2e:45:33: 2a:08:7e:b1:2d:7b:d8:4d:a6:c9:03:71:34:fe:7c: 53:91:c5:e5:f2:0d:7a:49:63:77:a4:5c:84:32:bd: 58:65:89:aa:62:69:28:10:78:45:07:ef:95:7c:2b: fa:7b:a6:80:19:67:6a:68:0f:d8:38:13:0a:2b:e9: 3d:f5:f4:df:37:f0:03:2c:b1:9c:be:c2:07:9c:99: b2:31:fe:a5:a0:9f:7d:37:0a:38:6a:5a:65:b5:f0: 8a:4d Exponent: 65537 (0x10001) *** AWS 上のメールサーバーに必要なファイルをコピー [#k7495a32] - ssh を使ったメールサーバー接続 -- ssh -i (秘密鍵) ubuntu@(公開DNS名) --- 秘密鍵 : &ref(magu-tokyo-messenger.pem); --- アカウント : ubuntu --- 接続先 : ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com - scp を使って証明書ファイルを AWS サーバーにアップロード -- scp -i (秘密鍵) (転送ファイル名) ubuntu@(公開DN名)&color(red){:~}; ← 最後のコロン+にょろ が重要 - scp を使ってマージされた中間証明書を AWS サーバーからダウンロードhttps://kgb.hmuna.com/index.php?cmd=edit&page=HomeServer18A munakata@muna-E450:~/mail_cert_wk$ scp -i magu-tokyo-messenger.pem ubuntu@ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com:/etc/ssl/official_m3/ssl-bundle.crt ./ - サイト証明書 と 中間証明書 をマージ -- &ref(ssl-bundle.crt); [AWS] ubuntu:~/work$ cat mail_hmuna_com.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt -- [[Certificate Installation (Dovecot + Exim):https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFJE]] -- [[Dovecot SSL configuration:https://wiki.dovecot.org/SSL/DovecotConfiguration]] - key ファイルの入手 *** AWS 上の dovecot の(証明書更新前の)設定情報を確認 [#rbc3a343] - セキュリティ設定がきつく、sudo のサブシェル内でしかファイルの中を見ることができない [AWS] ubuntu:/etc$ sudo sh -c "cd ./dovecot; doveconf -n" # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-1087-aws x86_64 Ubuntu 16.04.6 LTS ext4 auth_mechanisms = plain login first_valid_uid = 150 last_valid_uid = 150 mail_gid = mail mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } postmaster_address = mail-admin@hmuna.com protocols = " imap pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = mail mode = 0666 user = vmail } } ssl_ca = </etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle <---------------------------- ssl_cert = </etc/ssl/certs/mail_hmuna_com.crt <------------------------------------------ ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/mail_hmuna.key <--------------------------------------------- ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } [AWS] ubuntu:/etc$ *** AWS サーバー上の証明書の更新 [#pebbe393] &color(red){上記の現状の dovecot の設定を生かすため、ファイル名と配置場所を合わせる(=元のままとする)ように設定する}; - bundle ファイルから mail.hmuna.com の単独証明書をきりはなす (bundle ファイルを作り直す) - 秘密鍵(/etc/ssl/offocial_m3/mail_hmuna_com_20190705.key)→ /etc/ssl/private/mail_hmuna.key - サーバー証明書(/etc/ssl/offocial_m3/mail_hmuna_com.csr)→ /etc/ssl/private/mail_hmuna.key - 中間証明所(/etc/ssl/offocial_m3/ssl-bundle.crt)→ /etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle *** dovecot サーバー再起動 [#i9c1f17d] [AWS] ubuntu:~$ sudo service postfix stop [AWS] ubuntu:~$ sudo service dovecot stop [AWS] ubuntu:~$ sudo service postfix start [AWS] ubuntu:~$ sudo service dovecot start [AWS] ubuntu:~$ systemctl status dovecot.service ???ovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2019-07-27 09:12:20 JST; 10s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Process: 30118 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS) Process: 31311 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS) Main PID: 31314 (dovecot) Tasks: 6 Memory: 3.4M CPU: 28ms CGroup: /system.slice/dovecot.service ??31314 /usr/sbin/dovecot ??31315 dovecot/anvil ??31316 dovecot/log ??31318 dovecot/config ??31321 dovecot/auth ??31322 dovecot/auth -w Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Starting Dovecot IMAP/POP3 email server... Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: dovecot.service: PID file /var/run/dovecot/master.pid not readable (yet?) after st Jul 27 09:12:20 ip-172-31-26-13 dovecot[31314]: master: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disab Jul 27 09:12:20 ip-172-31-26-13 systemd[1]: Started Dovecot IMAP/POP3 email server.
テキスト整形のルールを表示する
添付ファイル:
mail_hmuna_com_20190705.key
21件
[
詳細
]
mail_hmuna_com_20190705.csr
22件
[
詳細
]
ssl-bundle.crt
22件
[
詳細
]
magu-tokyo-messenger.pem
28件
[
詳細
]
cs1-0700310.txt
25件
[
詳細
]
mail_hmuna_com.zip
22件
[
詳細
]
20190714_state.jpg
33件
[
詳細
]
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
mail_hmuna_com_20190705.key 21件
[詳細]
mail_hmuna_com_20190705.csr 22件
[詳細]
ssl-bundle.crt 22件
[詳細]
magu-tokyo-messenger.pem 28件
[詳細]
cs1-0700310.txt 25件
[詳細]
mail_hmuna_com.zip 22件
[詳細]
20190714_state.jpg 33件
[詳細]
