Installing an SSL certificate and enabling https was a faff, here are my notes. Now including postfix and dovecot…

Firstly, my DNS provider is NOIP, and I chose to get a TrustCOR certificate through their portal. Their free service offers a single certificate as a bundled feature.

Basically, the process is in three parts, get a certificate, configure apache, & configure the firewall.

The NOIP Portal

Go to “My Services > SSL Certificates”, there are four help pages, generate a CSR, which pointed my at “Apache OpenSSL“; read this all and note that the Country code of where I live is GB not UK and they require a state/province field. This use of openssl generates the private key. The installation guide is at apache-ssl-installation, wish I’d read it thoroughly, although at Apache 2.4.8, it is no longer necessary to separately define the ‘chain’ file. The portal offers a feature to down load the certificate, do so and copy to /etc/ssl/certs.

I installed a new cert in 2024, it was much easier, see the comment dated Feb 2024. Download it, copy to the ./certs folder and then ensure the apache config file points at it. The issuer documents the process here.

The Server

Firstly, mod_ssl and apache2 are already installed, this can be checked with both apt and ls /etc/apache/mods-available. This guide assumes you have certificate chain file, I had a .pem file and that this is issued by a CA and that you have its private key.

  1. The mod needs to be enabled a2enmod ssl. This creates a default ssl conf file in ./sites-available.
  2. The SSL .conf file needs to be edited. This is in the ./sites-available, and it was created by the enable mod command i.e. a2enmod ssl ; its name is 000-default-ssl.conf but ideally make a copy and change the basename. i.e. cp default-ssl.conf mydns.conf
  3. Then edit the two keyfile parameters, use the .pem-chain and .key. The version of Apache I have (2.4.8) does not require the separate declaration of the chain file.
  4. My initial parameters are now set to, Listen 433; <VirtualHost *:433>; ServerName ${InternetName}
  5. a2ensite $(basename ${conf.file}) enables the site, note that a2dissite disables it if necessary.
  6. the hostname needs to match the hostname declared to the certificate, edit /etc/hosts and /etc/hostname
  7. then systemctl reload apache2 and systemctl restart apache2 for good measure
  8. I was having problems getting it to work, because https was prohibited at the boundary,  and so I ran hostname to change the hostname and put the FQDN into the hosts file. I am thus unsure if this and the ServerName parameter is required. This may break something else.

Firewall

  1. I use a BT HomeHub (5A) and it needed an https rule to be set because I had not set one before. Not doing this first, probably cost me days.

See also https://davelevy.info/wiki/raspberry-pi-iii/#comment-148525

Postfix & Dovecot

These notes were generated by Google AI Perspectives.

To secure Postfix email server on Raspbian with SSL/TLS, you’ll need to generate or obtain an SSL/TLS certificate, configure Postfix to use it, and verify the setup. This involves editing the Postfix main.cf file, setting up the necessary paths for the certificate and key, and potentially configuring Dovecot for secure email access. 

1. Generating or Obtaining an SSL/TLS Certificate:

  • Self-Signed Certificates:

You can generate your own self-signed certificates using openssl on your Raspberry Pi. This is a simple option for local testing or private use but might not be trusted by clients. 

  • Third-Party Certificate Authorities (CAs):

For production environments, obtain a certificate from a reputable CA like Let’s Encrypt. This will allow clients to trust your server. 

Steps for Self-Signed Certificates (Simplified):

  1. Install openssl:

sudo apt-get install openssl. 

  1. Generate a key:

sudo openssl genrsa -out /etc/postfix/ssl/key.pem 2048. 

  1. Create a certificate signing request (CSR):

sudo openssl req -new -key /etc/postfix/ssl/key.pem -out /etc/postfix/ssl/cert.csr. 

  1. Create a self-signed certificate:

sudo openssl x509 -req -days 365 -in /etc/postfix/ssl/cert.csr -signkey /etc/postfix/ssl/key.pem -out /etc/postfix/ssl/cert.pem. 

2. Configuring Postfix for SSL/TLS:

  • Edit main.cf:
    • Open the file: sudo nano /etc/postfix/main.cf.
    • Set these options:
      • smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem.
      • smtpd_tls_key_file=/etc/postfix/ssl/key.pem.
      • smtpd_tls_CA_file=/etc/postfix/ssl/ca.pem (if using a CA certificate).
      • smtpd_use_tls=yes.
      • smtpd_tls_security_level=encrypt.
      • smtpd_tls_loglevel=1 (optional, for debugging).
    • Save the file and exit.
  • Restart Postfix: sudo systemctl restart postfix. 

3. Verifying SSL/TLS Configuration:

  • Test with a tool like openssl s_client:

 sudo openssl s_client -starttls smtp -connect [your_server_ip_or_hostname]:587 -showcerts -debug

Replace [your_server_ip_or_hostname] with your server’s IP address or domain name.

The output should show the certificate information and confirm a successful TLS connection. 

4. (Optional) Configuring Dovecot for Secure Email Access:

  • If using Dovecot:
    • Modify the Dovecot configuration (/etc/dovecot/dovecot.conf).
    • Set ssl = yes and ssl_cert = /etc/postfix/ssl/cert.pem (or the appropriate path).
    • Restart Dovecot: sudo systemctl restart dovecot

Help

I found these sites helpful

  1. Adding https to the raspberry pi apache web server from variax.wordpress.com, uses local certs, but documents making a key pair using openssl and the changes needed in the .conf file and How to Host Multiple Websites with Apache Virtual Hosts
  2. How to enable/disable a website from linode.com, talks about the conf file and a2 commands, also enable mod_ssl apache on the commands, mainly systemctl, from ubiq.co, but also 14 apache commands to help you manage your server like apro from devdojo which also documents the commands and has more than ubiq’s
  3. Here’s YAF page, How to install an SSL certificate on apache  from www.ssls.com.
  4. Apache loads mod_ssl but ifmodule mod_ssl.c ignored in my vhosts from stackoverflow, the order of the include statements is important, but was not relevant to me.
  5. An example vhosts file from Apache, and  a how to, again from Apache, both major on the .conf file settings.
  6. and Set new hostname raspberry pi/ which points at raspi-config.
  7. A page on Remapping at apache,com was used to redirect port 80 to the https port, I needed a CNAME in dns to redirect the standby name
  8. man openssl from linux.die.net how to make the key pair.
  9. Simple Email Configuration on a Raspberry Pi from the Raspberry Pi forums
  10. Configuring SSL tls for postfix on Medium
  11. Using UFW from digital ocean.
Dave Networking, Technology , , , , , , , , , ,

6 Replies

  1. Pingback: Raspberry Pi III – davelevy . info / wiki

  2. Remember to backup your certificates and keys, I needed to rebuild the Pi and found that my certificate vendor had decided to withdraw the offer and so I needed to recover the keys from the old disk. More faff. I did so by rebooting the old disk and copying the certs to the new disk. Mounting a raspbian boot disk on a windows laptop seems harder than I want and the best advice would seem to be as above.

    Reply

  3. Over the winter of 2023/2024, I had to renew the certificate. The complexity of the install frightened me but this is what I eventually did. I logged into the website, downloaded the new pem-chain file and moved it to /etc/ssl/certs. I then edited the SSLCertificateFile parameter in the apache config file as it had a new name. The restarted the apache server. It was simple, next time have no fear.

    Reply

  4. I failed to read the 2024 comment, and made a faff of how to reinstall a new SSL web certificate supplied by NO-IP

    I intend to install my certificate on a Raspbian. I made a CRT and private server key using the openssl command. The syntax of the command and the interactive arguments are documented at https://www.noip.com/support/knowledgebase/apache-openssl. The country code of me is GB not UK and the NO-IP CA requires a city parameter. I used the FQDN as the domain name, i.e. dfl.ddns.net; this generates the cert file with a usable name.

    I made the files in a folder in /opt/local and when the cert came thorough, I uploaded this to this folder too. I then copied the .pem to /etc/ssh/certs.

    I checked the .conf file in /etc/apache2/sites-available, and amended/checked the SSLCertificateFile and SSLCertificateKeyFile lines.

    NB the restart failed the first time, because I had failed to create the .pem file correctly. I needed to check the error log, in /var/logs. The errors reported by apachectl and services aren’t helpful.

    Remembering the file placement standards is important. Next time copy the live key files to a new folder, and copy the new cert to /etc/ssl/certs.

    Reply

  5. I amended this page today and added the smtp and dovecot runes. SMTP seems to be not working, but this could be the external firewall rules, IMAP is working as is the mail program.

    Reply

  6. I had another go; it’s getting better but why i didn’t read this article first. I installed apache2 & ufw, set the UFW rules, ssh, http[s] and RDP, then issued the a2enmod & a2ensite commands then restarted apache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ka-52 “Alligator”
Hugo Air theme