Categories
Uncategorized

dkimproxy certbot on Debian 11

cpan App::cpanminus
cpanm Net::Server Mail::DKIM Crypt::OpenSSL::RSA Digest::SHA Mail::Address MIME::Base64 Net::DNS Mail::DKIM

cd /tmp
tar -xvf dkimproxy-1.4.1.tar.gz
cd dkimproxy-1.4.1/
./configure –prefix=/usr/local/dkimproxy
make install
cp sample-dkim-init-script.sh /etc/init.d/dkimproxy
chmod +x /etc/init.d/dkimproxy

mkdir -p /usr/local/dkimproxy/var/run
useradd dkim
chown -R dkim.dkim /usr/local/dkimproxy/var/run

apt install snapd
snap install core;snap refresh core
snap install –classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
stop web service
certbot certonly –standalone

get selector key for txt record
openssl rsa -in /etc/letsencrypt/live/domain.com/privkey.pem -pubout -outform der 2>/dev/null | openssl base64 -A
configure dkim txt on dns server

cd /usr/local/dkimproxy/
cp dkimproxy_out.conf.example dkimproxy_out.conf

configure dkimproxy_out.conf to match public & private key location

systemctl daemon-reload
systemctl enable dkimproxy
systemctl start dkimproxy

Categories
pemasangan zimbra

Pasang SSL GoDaddy pada Zimbra 8

  1. Muatnaik fail ssl yang diperlukan ke server zimbra

    cp domain.key commercial.key
    cp intermediate/gd_bundle-g2-g1.crt commercial_ca.crt
    scp Certificate/numbers-digits.crt commercial.key commercial_ca.crt zimbra-IP:/tmp

  2. Periksa ssl

    su - zimbra
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/numbers-digits.crt /tmp/commercial_ca.crt

  3. Pasangkan ssl

    /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/number-digits.crt /tmp/commercial_ca.crt

  4. Mulakan semula zimbra
    zmcontrol restart
Categories
email

Setting SSL (letsencrypt) nginx Citadel

  1. Tukar port HTTPS Citadel ke 2001 dengan arahan

    dpkg-reconfigure citadel-webcit

  2. Pasang SSL truecrypt dengan merujuk kepada artikel https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
  3. Edit /etc/nginx/sites-enabled/citadel seperti berikut:

    [code lang=’plain’]
    server {

    server_name domain.com citadel.domain.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-domain.com.conf;
    include snippets/ssl-params.conf;

    error_log /var/log/nginx/citadel-error.log;
    access_log /var/log/nginx/citadel-access.log;

    root /usr/share/citadel-webcit;
    # optional:
    # listen 192.168.1.1:443
    # instead depending on your setup…
    # Main location
    location /webcit/ {
    proxy_pass https://127.0.0.1:2001/;
    proxy_redirect off;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_max_body_size 10m;
    client_body_buffer_size 128k;

    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;

    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    }
    location /listsub/ {
    proxy_pass https://127.0.0.1:2001;
    proxy_redirect off;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_max_body_size 10m;
    client_body_buffer_size 128k;

    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;

    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    }
    location /groupdav/ {
    proxy_pass https://127.0.0.1:2001/;
    proxy_redirect off;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_max_body_size 10m;
    client_body_buffer_size 128k;

    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;

    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    }
    location /freebusy/ {
    proxy_pass https://127.0.0.1:2001/;
    proxy_redirect off;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_max_body_size 10m;
    client_body_buffer_size 128k;

    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;

    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    }
    }[/code]

Sumber:
http://www.citadel.org/doku.php/faq:installation:apacheproxy
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Categories
zimbra

Pasang SSL Wildcard Geotrust pada Zimbra 8

Simpan private key sebagai /opt/zimbra/ssl/zimbra/commercial.key
Simpan server certificate ke fail /tmp/server.crt
Simpan intermediate certificate sebagai /tmp/ca_intermediate.crt

Dapatkan kandungan “Root 2 – GeoTrust Global CA” (pem file) dan simpan sebagai /tmp/global2.crt dari https://www.geotrust.com/resources/root-certificates/#

cat /tmp/ca_intermediate.crt /tmp/global2.crt /tmp/ca.crt > /tmp/ca_chain.crt

Sahkan sijil SSL dengan

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt

Pasang sijil SSL

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt

Mulakan semula zimbra

su - zimbra
zmcontrol restart

Categories
internet linux pemasangan

SSL Owncloud 8.0 pada Debian 7

Buatkan CSR dengan openssl dari PC anda.

openssl genrsa -des3 -out owncloud_domain_com.key 2048
openssl req -new -key owncloud_domain_com.key -out owncloud_domain_com.csr

Setelah memuatnaik CSR dan dapat zip file dari COMODO, unzip, kemudian buatkan chain certificate.

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

Uji self-sign ssl terlebih dahulu.

a2enmod ssl
a2ensite default-ssl
service apache2 restart

Jika OK, teruskan:

Muatnaik bundle.crt ke /etc/apache2/ssl.crt/

Muatnaik owncloud_domain_com.key ke /etc/ssl/private/

Muatnaik owncloud_domain_com.crt ke /etc/ssl/certs/

Contoh yang diubah pada /etc/sites-enabled/default-ssl

SSLCertificateFile /etc/ssl/certs/owncloud_domain_com.crt
SSLCertificateKeyFile /etc/ssl/private/owncloud_domain_com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/bundle.crt

Tambah juga tetapan berikut untuk melumpuhkan POODLE

SSLProtocol All -SSLv2 -SSLv3

Mulakan semula apache2

service apache2 restart

Categories
internet

Nota Apache #1

Menambah pilihan untuk akses ke laman web dengan SSL (HTTPS)

*Teknik berikut dilakukan pada Debian GNU/Linux 5

  1. Pasang pakej HTTPD Apache
    aptitude install apache2
  2. Cipta certificate ssl public dan private (cara malas)
    make-ssl-cert generate-default-snakeoil
    cd /etc/ssl/
    cat private/ssl-cert-snakeoil.key certs/ssl-cert-snakeoil.pem > mykey.pem
  3. Benarkan modul ssl untuk Apache2
    a2enmod ssl
  4. Tambah berikut pada /etc/apache2/sites-enabled/000-default (contoh untuk akses HTTPS pada /var/www)

    [code=’plain’]
    DocumentRoot /var/www/
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    SSLEngine On
    SSLCertificateFile /etc/ssl/mykey.pem
    [/code]

  5. Mulakan semula servis apache2
    /etc/init.d/apache2 restart