Re: [CentOS] Step-by-Step Tutorial: How to Deploy cPanel Web Hosting Control Panel version 11.74 on CentOS 7.5 Linux Server version 1805 in Amazon AWS Cloud
Le 01/09/2018 à 14:52, Turritopsis Dohrnii Teo En Ming a écrit : > Step-by-Step Tutorial: How to Deploy cPanel Web Hosting Control Panel > version 11.74 on CentOS 7.5 Linux Server version 1805 in Amazon AWS > Cloud Just a suggestion. I don't think this mailing list is the right place for tutorials, the more so since they contain some wrong information. For this kind of thing, you can have a blog (like the one I have linked in my signature). And use this list for the odd question that you were not able to solve by reading books or searching Google. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
I use something like this script to renew my SMTP and IMAP certificates (/etc/cron.weekly/certbot-renew): #!/bin/sh hostcert=/etc/letsencrypt/live/mail.example.com certlink="$(readlink "${hostcert}/cert.pem")" test -x /usr/bin/certbot || exit 72 certbot certonly --quiet --standalone --keep-until-expiring \ -d mail.example.com \ -d imap.example.com \ --email postmas...@example.com \ --agree-tos --expand # Exit if the cert hasn't been updated test "${certlink}" = "$(readlink "${hostcert}/cert.pem")" && exit cat ${hostcert}/fullchain.pem ${hostcert}/privkey.pem > /usr/lib/courier/share/esmtpd.pem cat ${hostcert}/fullchain.pem ${hostcert}/privkey.pem > /usr/lib/courier/share/imapd.pem systemctl restart courier ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
On September 2, 2018 1:12:58 AM GMT+07:00, Rainer Duffner : >I’m pretty sure LE creates a new private key, too. >From a cursory glance at lego’s certificate directory on a server with >a couple of dozens of LE certificates at least. > >After all, changing the private key is what this is all about (showing >that you’re still in charge). It doesn't hurt when the process is automated anyway but it's by no means necessary. The limited validity period limits how long an attacker can abuse the cert they should get hold of it. However if you have no reason to suspect a compromise, it's by no means necessary. It doesn't improve security (if you've been hacked in a way you don't notice, it's highly likely the new key would leave your system the same way the previous one did) and it's just one more thing that can go wrong of you so it manually. Cheers, Matthias ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
On Sep 1, 2018, at 12:10 PM, Rainer Duffner wrote: > >> Am 01.09.2018 um 12:51 schrieb Pete Biggs : >> >> That was until LetsEncrypt comes along - it has the backing of some big >> names and *IS* an effective business model for small and private >> customers. > > What *is* the business model of Let’s Encrypt? They’re a nonprofit, run off of sponsorships and donations: https://letsencrypt.org/about/ https://letsencrypt.org/donate/ https://letsencrypt.org/docs/faq/ https://letsencrypt.org/sponsors/ https://letsencrypt.org/become-a-sponsor/ > Are they going to issue „Pro“ certificates at some point that cost money? That would be incompatible with their 501(c)(3) status. > Running a CA is not expensive per se Indeed. Let’s Encrypt was inevitable: the compute costs of generating certs, running the back-end service, and holding the data were tiny in the 1990s and are even tinier now. Tiny times massive equals large, so at scale there are non-trivial costs, but the old standard of ~$100/yr was rapacious for what we’d now call a domain validation (DV) or light organization validation (OV) cert. > In the beginning, the certificates had a certain level of trust with them > that came both from the high prices (deterring drive-by crooks) and the fact > that some sort of vetting was made to ensure that nobody could have issued a > certificate for a domain they didn’t really control. I had certs in the early days, and even back then, a standard web site cert didn’t involve a whole lot of checking. That’s lead to the DV vs OV vs EV distinction: https://www.ssl.com/article/dv-ov-and-ev-certificates/ If a DV-only cert is sufficient for your purposes, then Let’s Encrypt probably does all you need. The only reason to buy a cert these days is if you want OV or EV, and if it were me, I’d skip OV and go to EV in order to get the extra assurances that the green styling in the browser asserts. For some applications, it’s worth the money. DV-only covers a whole lot of use cases, though, including the one that started this thread. > These days, a certificate just shows that the communication is encrypted. You may be right that there is little practical difference to a random end user between DV and OV, but I believe there is real value in EV. > There’s even talk about deprecating the special handling browsers have for > EV-certificates from future versions of Mozilla. Why? I’m aware that it’s possible to generate a fraudulent EV cert, but to deprecate the distinction between EV and DV is to impugn the value of the CA system entirely. There’s plenty of problems in the system, which is one reason why we have the CAB Forum: untrustworthy CAs get run out of business. That leaves transparent TLS proxy middleboxes and such, but that’s just another “Who do you trust?” argument. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
On 01.09.2018 20:12, Rainer Duffner wrote: Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS: Out of curiosity - do you change also the private key every time? when renewing a certificate the private key should also be changed; other ways the renewal because of short validity period doesn't make a sense ... I’m pretty sure LE creates a new private key, too. depends on the implementation; ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Step-by-Step Tutorial: How to Deploy cPanel Web Hosting Control Panel version 11.74 on CentOS 7.5 Linux Server version 1805 in Amazon AWS Cloud
Could you please not post self-promotional “tutorials” to the list? There are many questionable suggestions in this tutorial, and it doesn’t appear you should be writing as an authority on the subject. If you have questions about anything CentOS related to help you better understand the subject, feel free to ask on the list. Thanks! -- Jonathan Billings's ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
Am 01.09.2018 um 20:27 schrieb Valeri Galtsev: I just checked on my box and confirm that yes, with every renewal of certificate new key is created. I should realize that fact even before looking, as it is asymmetric encryption pair, thus the new pair cert+key is generated (and the cert [request] gets signed). Valeri You are commenting on a specific ACME helper tool to create LE certificates? On my side the key stays the same. And as long as it is not compromised there is no need to change it. Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
On 9/1/18 1:12 PM, Rainer Duffner wrote: Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS : Out of curiosity - do you change also the private key every time? I’m pretty sure LE creates a new private key, too. I just checked on my box and confirm that yes, with every renewal of certificate new key is created. I should realize that fact even before looking, as it is asymmetric encryption pair, thus the new pair cert+key is generated (and the cert [request] gets signed). Valeri From a cursory glance at lego’s certificate directory on a server with a couple of dozens of LE certificates at least. After all, changing the private key is what this is all about (showing that you’re still in charge). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
> Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS : > > Out of curiosity - do you change also the private key every time? I’m pretty sure LE creates a new private key, too. From a cursory glance at lego’s certificate directory on a server with a couple of dozens of LE certificates at least. After all, changing the private key is what this is all about (showing that you’re still in charge). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
> Am 01.09.2018 um 12:51 schrieb Pete Biggs : > > That was until LetsEncrypt comes along - it has the backing of some big > names and *IS* an effective business model for small and private > customers. What *is* the business model of Let’s Encrypt? Are they going to issue „Pro“ certificates at some point that cost money? Running a CA is not expensive per se - it’s the audits that the CAB (CA+Browser) Forum mandates that are expensive. In the beginning, the certificates had a certain level of trust with them that came both from the high prices (deterring drive-by crooks) and the fact that some sort of vetting was made to ensure that nobody could have issued a certificate for a domain they didn’t really control. But the later step is not very friendly to automation. And CAs can principally issue certificates for any domain - a fact brought home by the compromise of Dutch CA DigiNotar in the Fall 2011. Adding to the fact is a concentration-process in the industry that leads to fewer and fewer companies that know less and less of their customers. These days, a certificate just shows that the communication is encrypted. Whether the other endpoint is what it claims to be is of no concern to any third-party involved in setting up that communication-process. There’s even talk about deprecating the special handling browsers have for EV-certificates from future versions of Mozilla. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
Am 01.09.2018 um 02:06 schrieb Warren Young : > > I’ve been running some of my domains on Let’s Encrypt for years now, and have > never had a single user complain to me that my certs are changing too often. Out of curiosity - do you change also the private key every time? -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Step-by-Step Tutorial: How to Deploy cPanel Web Hosting Control Panel version 11.74 on CentOS 7.5 Linux Server version 1805 in Amazon AWS Cloud
Step-by-Step Tutorial: How to Deploy cPanel Web Hosting Control Panel version 11.74 on CentOS 7.5 Linux Server version 1805 in Amazon AWS Cloud Secondary Subject/Topic: How to Setup a New Startup Web Hosting Company Using cPanel Web Hosting Control Panel version 11.74, CentOS 7.5 Linux Server version 1805, and Amazon AWS Cloud Tertiary Subject/Topic: How to Startup Your Own Internet Business Like China's Billionaire Jack Ma. Will Teo En Ming Be Able to Emulate Jack Ma? Objective: Experimental and Feasibility Studies for Teo En Ming's Startup Internet Business AUTHOR OF THIS TUTORIAL: MR. TURRITOPSIS DOHRNII TEO EN MING (ZHANG ENMING) @ TIME TRAVELLER ACADEMIC QUALIFICATIONS: (1) Bachelor of Engineering (Second Class Lower Honours) in Mechanical Engineering from National University of Singapore (Graduated DEC 2006), with Electives in Aerospace Engineering (2) Part Time Diploma (Conversion) in Computer Networking with 4 Distinctions from Singapore Polytechnic (Graduated 2017) (3) Full Time Diploma in Mechatronics Engineering with Merit from Singapore Polytechnic (Graduated 1998) (4) Certificate of Completion for CISCO Certified Network Associate (CCNA) 5-DAY Boot Camp from NTUC Learning Hub, Singapore, Year 2017 (5) National Infocomm Competency Framework (NICF) (Singapore) Certificate in Configuring a CISCO Router, Year 2017 (6) National Infocomm Competency Framework (NICF) (Singapore) Certificate in Configuring a CISCO Switch, Year 2017 (7) GCE "O" Levels with 7 A1s and 1 A2, Top Student Award, Graduated 1994 (8) Primary School Leaving Examination (PSLE) Score of 238, Graduated 1990 AGE: 40 YEARS OLD (as at 1ST SEPTEMBER 2018) COUNTRY OF RESIDENCE: REPUBLIC OF SINGAPORE DATE: 1ST SEPTEMBER 2018 SATURDAY TIME: 8:30 PM SINGAPORE TIME, GREENWICH MEAN TIME+8 PRIMARY EMAIL: teo.en.ming AT gmail.com SECONDARY EMAIL: teo.en.ming.BUSINESS AT gmail.com DOCUMENT VERSION: 1809.01 COPYRIGHT (C) 2018 TURRITOPSIS DOHRNII TEO EN MING. This step-by-step tutorial is written by Teo En Ming in Singapore. NB: This document consists of a total of 251 steps. SECTION 1: DEPLOYING THE CPANEL DNSONLY DOMAIN NAME SERVERS === 001. Login to your Amazon AWS Cloud account. 002. Click Services > Compute > EC2 003. Click Network and Security > Elastic IPs 004. Click Allocate new address. Click Allocate. New address request succeeded, for example, 13.58.134.234. 005. Click Instances > Instances. Click Launch Instance. 006. Click AWS Marketplace. 007. Search for CentOS. 008. Select CentOS 7 (x86_64) - with Updates HVM Amazon Machine Image (AMI). Click Continue. 009. Select General Purpose, t2.micro, 1 vCPU, 1 GB RAM (FREE TIER ELIGIBLE). 010. Click Next: Configure Instance Details. 011. Select Network: 012. Select Subnet: | Public subnet | us-east-2a 013. Click Protect against accidental termination. 014. Click Next: Add Storage 015. Click Next: Add Tags 016. Enter Key = Name and Value = CPANEL NAME SERVER 1 017. Click Next: Configure Security Group 018. Click Select an existing security group 019. Select NS_SG (Name Server Security Group). 020. Click Review and Launch. Click Launch. 021. Select a key pair. 022. Click Network and Security > Elastic IPs. 023. Select Elastic IP 13.58.134.234. 024. Click actions > associate address. 025. Select Instance: CPANEL NAME SERVER 1 026. Click Allow Elastic IP to be reassociated if already attached. 027. Click Associate. 028. Login to CentOS 7 Linux Server using Putty. Use centos as username. Follow the Installation Guide - cPanel DNSONLY Installation at https://documentation.cpanel.net/display/74Docs/Installation+Guide+-+cPanel+DNSONLY+Installation SECTION 2: INSTALLING CPANEL DNSONLY NAME SERVER 1 == 029. cd /home 030. sudo curl -o latest-dnsonly -L https://securedownloads.cpanel.net/latest-dnsonly 031. sudo sh latest-dnsonly 032. sudo /scripts/configure_firewall_for_cpanel 033. sudo passwd root 034. Go to https://13.58.134.234:2087 and login. 035. Click I Agree. Go to Step 2 036. Enter Server Contact Email Address. 037. Enter Server Hostname, for example, ns1.teo-en-ming-corp.com 038. Enter Primary Resolver, e.g. 8.8.8.8 039. Enter Secondary Resolver, e.g. 8.8.4.4 040. Click Save and Go to Step 3. 041. Click Skip this step and use my server's default settings. 042. Select BIND DNS Server. 043. Nameserver 1: ns1.teo-en-ming-corp.com 044. Nameserver 2: ns2.teo-en-ming-corp.com 045. Request another Elastic IP address in Amazon AWS Cloud as per steps above, e.g. 52.15.109.147 046. Click Configure Nameserver A Records 047. ns1.teo-en-ming-corp.com IPv4: 13.58.134.234 048. ns2.teo-en-ming-corp.com IPv4: 52.15.109.147 049. Click Finish. 050. Login to your domain registrar, e.g. godaddy.com 051. Select your domain name, e.g. teo-en-ming-corp.com 052. Click Manage DNS. Click Host names. Click Add. 053. Map
Re: [CentOS] Certificates
> > And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant > changing certs even with a long lived root may get old for your customers. Why? I have corporate systems on 2 year commercial CA signed certificates and personal servers on 90 day LetsEncrypt ones - my users of IMAP and SMTP have never ever noticed when I changed the certificates on any device. They certificates all have trusted CAs so the clients trust them without any interaction. Even I don't notice when certbot renews my certificates. > > Unfortunately, there has never been an effective business model for > small customers. The problem is one of trust - in the past even significant CAs have had their signing keys leaked, so it's difficult for the root CAs to trust a company who deals with SMEs with cut price signing (the infrastructure has a significant cost, so they must be cutting corners somewhere!). That was until LetsEncrypt comes along - it has the backing of some big names and *IS* an effective business model for small and private customers. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
> > Your IMAP server can use those files and may then respond to > requests for IMAP over SSL/TLS on e.g. port 993. Port 143 is for > unencrypted IMAP, so in that case certificates are not relevant at > all. Well, apart from STARTTLS ... P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
> > so - if you want to get certificates for an imap only server, you will > have to setup an webserver for the challenge. or deal with your dns server. > Having just setup up some LetsEncrypt certificates on a CentOS server: Certbot automates the process - if you have a webserver running, it will use that; if you don't, it attaches a minimalistic web server to port 80 to respond to the LetsEncrypt challenges. It's very, very easy. (The challenges are purely to verify that you are the owner of the domain you are asking for certificates for.) The certificates it generates can be used for IMAP and SMTP as well. certbot will automatically renew the certificates 2 weeks (I think) before they expire - it does not need the web/dns challenges for renewal. There are hooks in the process to put the renewed certificates wherever you want, otherwise it puts them where your web server is expecting them. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates
On 31.08.2018 21:31, Michael Schumacher wrote: certbot works only with ports 80 or 443? Can lego work with with IMAP ports like 143 or 993? The documentation is not very clear. in case of other then Webserver you use ACME-DNS just for a simple ACME client that is capable for ACME-DNS use acme.sh https//acme.sh/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos