Home > Guides > Alpine Server > Setting up Let's Encrypt SSL

Setting up Let's Encrypt SSL

Installation

Install certbot:

apk add certbot certbot-nginx
certbot --nginx -d example.com -d www.example.com

Renewing the Certificates

To test if the certificate renewal works, you can perform a dry run:

certbot renew --dry-run

To renew the certificates, run the following:

certbot renew

Add a DNS CAA record for your domain:

@ CAA 0 issue "letsencrypt.org"

Setting up Nginx

Generate the Diffie-Hellman parameters:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Edit /etc/nginx/nginx.conf:

http {
	include /etc/nginx/sites-enabled/*;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers !ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ecdh_curve secp384r1;
}

Edit your per site-configurations in /etc/nginx/sites-available to enable HTTPS:

server {
	listen 80;
	listen [::]:80;
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name .example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

Allow TCP traffic on the HTTPS port (443):

ufw allow https

Reload the Nginx configuration:

/etc/init.d/nginx reload

Setting up Postfix

Edit /etc/postfix/main.cf:

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
tls_random_source = dev:/dev/urandom

Edit /etc/postfix/master.cf:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sals_auth_enable=yes
smtps      inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Allow TCP traffic on the SMTPS and Submission ports (port 465 and 587):

ufw allow smtps
ufw allow 587/tcp

Reload the Postfix configuration:

/etc/init.d/postfix reload

Add the following DNS records:

_submission._tcp SRV 587 smtp.example.com.

Setting up Dovecot

Generate the Diffie-Hellman parameters:

openssl dhparam -out /etc/dovecot/dh.pem 4096

Edit /etc/dovecot/conf.d/10-ssl.conf:

ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes

Allow TCP traffic on the IMAPS and POP3S ports (port 993 and 995):

ufw allow imaps
ufw allow pop3s

Reload the Dovecot configuration:

/etc/init.d/dovecot reload

Add the following DNS records:

_imaps._tcp SRV 993 imap.example.com.
_pop3s._tcp SRV 995 pop3.example.com.

Testing

Use OpenSSL to test the connection:

openssl s_client -connect imap -connect example.com:443
openssl s_client -starttls smtp -connect mail.example.com:587
openssl s_client -starttls imap -connect mail.example.com:143
openssl s_client -connect mail.example.com:993