Projekt

Allgemein

Profil

Aktionen

Aufgabe #1642

geschlossen

Aufgabe #1619: Aktualisierung vom Dienst Mail (Anwendung postfix), samt dem Dienst Mail-Verteiler (Anwendung GNU Mailman) vom Stand FreeBSD 11

TLS für lists.stura.htw-dresden.de für https einrichten

Von PaulRiegel vor mehr als 1 Jahr hinzugefügt. Vor mehr als 1 Jahr aktualisiert.

Status:
Erledigt
Priorität:
Sofort
Zugewiesen an:
Kategorie:
Instanz Mailman
Beginn:
03.06.2023
Abgabedatum:
03.06.2023
% erledigt:

0%

Geschätzter Aufwand:

Beschreibung

pkg ins -y py39-certbot-apache


=====                                                      
Message from python39-3.9.16_2:

--                 
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py39-gdbm       databases/py-gdbm@py39             
py39-sqlite3    databases/py-sqlite3@py39
py39-tkinter    x11-toolkits/py-tkinter@py39      
=====                 
Message from py39-urllib3-1.26.14,1:

--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'".  While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.

Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).

Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).

In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
=====
Message from py39-certbot-2.4.0,1:

--
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

 # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the 'standalone' mode, see:

  https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:                                                                        

 * Apache plugin: security/py-certbot-apache                                                                          
 * Nginx plugin: security/py-certbot-nginx                                                                            

In order to automatically renew the certificates, add this line to
/etc/periodic.conf:

    weekly_certbot_enable="YES" 

More config details in the certbot periodic script:

    /usr/local/etc/periodic/weekly/500.certbot-3.9

Anpassung der Konfiguration von Apache für die Aktivierung vom Modul ssl (zur Auffindbarkeit durch die Certbot anscheind zwangsläufig als absoluter Pfad)
https://httpd.apache.org/docs/2.4/ssl/
$EDITOR /usr/local/etc/apache24/httpd.conf


#LoadModule ssl_module libexec/apache24/mod_ssl.so
####LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule ssl_module /usr/local/libexec/apache24/mod_ssl.so

Anpassung der Konfiguration von Apache für die Aktivierung vom Modul rewrite
https://httpd.apache.org/docs/2.4/rewrite/
$EDITOR /usr/local/etc/apache24/httpd.conf


#LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

$EDITOR /usr/local/etc/apache24/extra/httpd-vhosts.conf

certbot --apache --email cert@stura.htw-dresden.de --agree-tos --no-eff-email

Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                              
Unable to read ssl_module file; not disabling session tickets.                       
Account registered.                                                                                                   

Which names would you like to activate HTTPS for?                                                                     
We recommend selecting either all domains, or all domains in a VirtualHost/server block.    
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                       
1: lists.stura.htw-dresden.de                                                                                         
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input                
blank to select all options shown (Enter 'c' to cancel): c 
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing 
certificate name.                                                                                                     
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsen
crypt.log or re-run Certbot with -v for more details.                                                                 

ls -al /usr/local/libexec/apache24/mod_ssl.so

-rwxr-xr-x  1 root  wheel  235840 May 25 04:11 /usr/local/libexec/apache24/mod_ssl.so

certbot --apache --email cert@stura.htw-dresden.de --agree-tos --no-eff-email --domain lists.stura.htw-dresden.de --domain mail.stura.htw-dresden.de

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for lists.stura.htw-dresden.de and mail.stura.htw-dresden.de

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/lists.stura.htw-dresden.de/fullchain.pem
Key is saved at:         /usr/local/etc/letsencrypt/live/lists.stura.htw-dresden.de/privkey.pem
This certificate expires on 2023-08-31.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for lists.stura.htw-dresden.de to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Successfully deployed certificate for mail.stura.htw-dresden.de to /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://lists.stura.htw-dresden.de and https://mail.stura.htw-dresden.de

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

works!

diff /usr/local/etc/apache24/extra/httpd-vhosts.conf_2023-06-04 /usr/local/etc/apache24/extra/httpd-vhosts.conf


> RewriteEngine on
> RewriteCond %{SERVER_NAME} =mail.stura.htw-dresden.de [OR]
> RewriteCond %{SERVER_NAME} =lists.stura.htw-dresden.de
> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

less /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
   ServerAdmin webmaster@stura.htw-dresden.de
   DocumentRoot "/usr/local/mailman/lists" 
   ServerName lists.stura.htw-dresden.de
   ServerAlias mail.stura.htw-dresden.de
   <Directory /usr/local/mailman/archives/>
       Options FollowSymLinks
       AllowOverride None
   </Directory>
####    vb
#   Alias /pipermail/ /usr/local/mailman/archives/public/
   Alias /pipermail/ /usr/local/mailman/archives/private/
####    ve
   Alias /images/mailman/ /usr/share/images/mailman/
   ScriptAlias /admin /usr/local/mailman/cgi-bin/admin
   ScriptAlias /admindb /usr/local/mailman/cgi-bin/admindb
   ScriptAlias /confirm /usr/local/mailman/cgi-bin/confirm
   ScriptAlias /create /usr/local/mailman/cgi-bin/create
   ScriptAlias /edithtml /usr/local/mailman/cgi-bin/edithtml
   ScriptAlias /listinfo /usr/local/mailman/cgi-bin/listinfo
   ScriptAlias /options /usr/local/mailman/cgi-bin/options
   ScriptAlias /private /usr/local/mailman/cgi-bin/private
   ScriptAlias /rmlist /usr/local/mailman/cgi-bin/rmlist
   ScriptAlias /roster /usr/local/mailman/cgi-bin/roster
   ScriptAlias /subscribe /usr/local/mailman/cgi-bin/subscribe
   ScriptAlias /mailman/ /usr/local/mailman/cgi-bin/
   ScriptAlias / /usr/local/mailman/cgi-bin/listinfo
   <Directory "/usr/local/mailman">
      AllowOverride All
      Options FollowSymlinks
      Require all granted
   </Directory>
   ErrorLog /var/log/mailman-error.log
#   CustomLog /var/log/mailman-access.log combined

Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /usr/local/etc/letsencrypt/live/lists.stura.htw-dresden.de/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/lists.stura.htw-dresden.de/privkey.pem
</VirtualHost>
</IfModule>

less /usr/local/etc/apache24/httpd.conf


<IfModule mod_ssl.c>
Listen 443
</IfModule>
Include /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf


$EDITOR /etc/periodic.conf

weekly_certbot_enable="YES" 


$EDITOR /etc/periodic.conf

weekly_certbot_enable="YES" 
weekly_certbot_service="apache24" 

less /usr/local/etc/periodic/weekly/500.certbot-3.9


Zugehörige Tickets 2 (1 offen1 geschlossen)

Nachfolger von Bereich Administration Rechentechnik - Aufgabe #1625: "Abhandlung" https mit certbot für apache bei FreeBSD (Jail TrueNAS CORE)FeedbackMaximilianTraenkler02.06.2023

Aktionen
Vorgänger von Bereich Administration Rechentechnik - Aufgabe #1655: Kontrolle der Funktionalität für das eigenständige (automatische) erneute Beziehen und Verwenden eines Zertifikates für TLS mit certbot (letsencrypt)ErledigtZuständigkeit Instandhaltung IT-Services01.10.202315.10.2023

Aktionen
Aktionen

Auch abrufbar als: Atom PDF