§2024-04-24

ChatGPT, get ssl certificate for j2jammy.yushei.net from Let's encrypt

1. Install Certbot:

   • $ sudo apt install certbot

2. Obtain the Certificate: Run Certbot to obtain the SSL certificate. The command would look something like this:

   $ sudo certbot certonly --standalone -d h2jammy.yushei.net

   alexlai@h2Jammy:~$ sudo certbot certonly --standalone -d h2jammy.yushei.net
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Certificate not yet due for renewal
   
   You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
   (ref: /etc/letsencrypt/renewal/h2jammy.yushei.net.conf)
   
   What would you like to do?
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   1: Keep the existing certificate for now
   2: Renew & replace the certificate (may be subject to CA rate limits)
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
   Renewing an existing certificate for h2jammy.yushei.net
   
   Successfully received certificate.
   Certificate is saved at: /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
   Key is saved at:         /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem
   This certificate expires on 2024-07-23.
   These files will be updated when the certificate renews.
   Certbot has set up a scheduled task to automatically renew this certificate in the background.
   
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   If you like Certbot, please consider supporting our work by:
    * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    * Donating to EFF:                    https://eff.org/donate-le
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   

   • or

   alexlai@h2Jammy:~$ sudo certbot certonly --standalone -d h2jammy.yushei.net --email alexlai@munetaka.me
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Certificate not yet due for renewal
   
   You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
   (ref: /etc/letsencrypt/renewal/h2jammy.yushei.net.conf)
   
   What would you like to do?
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   1: Keep the existing certificate for now
   2: Renew & replace the certificate (may be subject to CA rate limits)
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
   Renewing an existing certificate for h2jammy.yushei.net
   
   Successfully received certificate.
   Certificate is saved at: /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
   Key is saved at:         /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem
   This certificate expires on 2024-07-23.
   These files will be updated when the certificate renews.
   Certbot has set up a scheduled task to automatically renew this certificate in the background.
   
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   If you like Certbot, please consider supporting our work by:
    * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    * Donating to EFF:                    https://eff.org/donate-le
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   

• Configure Dovecot: Once you have the certificate files, you'll need to configure Dovecot to use them. Typically, you'll need to update the Dovecot configuration file (usually located at /etc/dovecot/dovecot.conf or /etc/dovecot/conf.d/10-ssl.conf) to specify the paths to the certificate and key files.Here's an example of how you might configure Dovecot to use the SSL certificate:

ssl_cert = </etc/letsencrypt/live/yourdomain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/yourdomain.com/privkey.pem

alexlai@h2Jammy:~$ sudo cp -v  /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.ori
'/etc/dovecot/conf.d/10-ssl.conf' -> '/etc/dovecot/conf.d/10-ssl.conf.ori'
alexlai@h2Jammy:~$ sudo /etc/dovecot/conf.d/10-ssl.conf
sudo: /etc/dovecot/conf.d/10-ssl.conf: command not found
alexlai@h2Jammy:~$ sudo nano /etc/dovecot/conf.d/10-ssl.conf
alexlai@h2Jammy:~$ sudo diff /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.ori
12,13c12,13
< ssl_cert = </etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
< ssl_key = </etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem
---
> ssl_cert = </etc/dovecot/private/dovecot.pem
> ssl_key = </etc/dovecot/private/dovecot.key

• Restart Dovecot: After updating the configuration, restart the Dovecot service to apply the changes:
  • sudo systemctl restart dovecot

Automate Certificate Renewal: Let's Encrypt certificates are valid for 90 days, so it's important to set up automated renewal to ensure that your SSL certificate remains valid. You can do this by adding a cron job that runs the Certbot renewal command periodically. You can use the certbot renew command to renew any certificates that are near expiration. That's it! You should now have a valid SSL certificate for Dovecot obtained from Let's Encrypt.