Free wildcard cert manually


Letsencrypt started supporting wildcard certificate since version certbot 0.22.
These changes need to be applied to https://riowingwp.wordpress.com/2019/01/20/ssl-cert-installation
1. certbot 0.22 on Ubuntu18. Ubuntu14 can only install certbot 0.14.2, which cannot do wildcard cert.
2. In addition to make a cert file as requested by Letsencrypt, DNS record are required to be created.
3. server need to be changed from acme-v01 to acme-v02. therefore the whole command becomes:
/usr/bin/certbot certonly –authenticator manual –server https://acme-v02.api.letsencrypt.org/directory –text –email RioChn@gmail.com –csr riowingNet.csr –logs-dir . –config-dir . –work-dir .

Details on DSN verification:
Taking Google Domains as an example.
DNS TXT record name: _acme-challenge.riowing.net
DNS TXT record value comes from the challenge, about 50 characters long
Propagation took over one hour in my case.
To verify:
openssl verify -verbose -CAfile <(cat 0000_chain.pem root.crt) riowingChainCertbot.crt
output: riowingChainCertbot.crt: OK
where: 0000_chain.pem is intermediate cert that sits between riowingChainCertbot and root.
To view:
certutil.exe -decode riowingChainCertbot.crt riowingChainCertbot.bin
certUtil.exe riowingChainCertbot.bin
Output includes: CN=*.riowing.net and CN=Let’s Encrypt Authority X3
Download: http://riowing.net/p/certs.zip

http2


Install web server nginx-1.9.15 supporting http/2.
Finding out http version of tech.riowing.net from remote client windows/WSL:
Curl: $ curl -sI –insecure https://tech.riowing.net -o/dev/null -w ‘%{http_version}\n’
output: 2
External tool:
https://tools.keycdn.com/http2-test
type in https://tech.riowing.net:443/hls/a.html
output: HTTP/2 protocol is supported. see attachment
Chrome:
F12 to bring up the DevTools window, and the network tab says H2.

Server side:
Build nginx, need to build from source code as http2 is not in default.
download source: http://nginx.org/download/nginx-1.9.15.tar.gz
untar it and go to that folder.
$ ./configure –with-http_ssl_module –with-http_v2_module –add-module=../nginx-rtmp-module-master
I need nginx-rtmp for streaming
$ make this builds the binary objs/nginx
Config
edit so that nginx.conf https has this line:
listen 443 ssl http2;
Most ubuntu meet minimum requirement: nginx 1.9.5 and TLS 1.2

Http2

Email out thru Gmail as domain riowing.net


riowing.net is a public facing ec2 instance, over which I have full control.
When we ask gmail to send out an email as name@riowing.net,
Gmail doesnt send out email with “MAIL FROM: <name@riowing.net>”, even though it is capable.
Instead, gmail request host riowing.net to send the email.
Authentication
gmail requires TLS. use Cyrus SASL
SASL: Simple Authentication Security Layer
Cyrus SASL library implementation
Config SASL
Install: apt-get install sasl2-bin libsasl2-modules
Create credential: saslpasswd2 -c -u riowing.net smtp
this create username smtp, enter password when prompted.
Notify Cyrus how to check password by editting /etc/postfix/sasl/smtpd.conf with:
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
Create certificate, self signed:
create keypair: openssl genrsa -des3 -out smtpRioWing.key 1024
create signing request: openssl req -new -key smtpRioWing.key -out smtpRioWing.csr
remove password: openssl rsa -in smtpRioWing.key.orig -out smtpRioWing.key
make cert: openssl x509 -req -days 3650 -in smtpRioWing.csr -signkey smtpRioWing.key -out smtpRioWing.crt
create .pem: cat smtpRioWing.crt smtpRioWing.key > smtpRioWing.pem
Config Postfix:
Edit /etc/postfix/main.cf so that:
both smtpd_tls_cert_file and smtpd_tls_key_file point to /etc/postfix/smtpRioWing.pem

Edit /etc/postfix/master.cf this opens up 587
submission inet n – n – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may was encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
sudo postfix reload
Security group on aws:
Make sure port 587 is listening: netstat -ltn |grep 587
Open it up.

Add rio@riowing.net to gmail account so that it appears as one option in From.
This is straighforward; just enter smtp domain name, user name and password.

Notes:
Email by telnet to port 587 with “AUTH LOGIN” with base64 user name and password also works.
Reference: https://jichu4n.com/posts/custom-domain-e-mails-with-postfix-and-gmail-the-missing-tutorial/amp/

Email2

Customized email address


Goal: setup me@riowing.net and forward to RioCnC@gmai.com
done by MTA postfix

Steps:
Domain server: point MX record to riowing.net
OS: user rio must exist since me@riowing.net is alias of rio@riowing.net
Email server: AWS EC2 named riowing.net, Ubuntu18
Install postfix: apt-get install postfix
Config:
vi /etc/postfix/main.cf
add this line: myhostname = riowing.net
virtual_alias_domains is not involved here since no virtual domain
vi /etc/aliases
add this line: me: rio
run this: sudo postmap /etc/postfix/virtual
create this file: sudo vi /etc/postfix/virtual
add this line: rio@riowing.net RioCnC@gmail.com
run this: sudo newaliases
Check status:
#service postfix status
#netstat -ltnp | grep 25
AWS:
contact AWS support to unblock outgoing port 25, which is blocked by default.
open incoming port 25 from security group.
Notes: IMAP and POP3 are not configured since emails are forwarded to gmail.
Debugging:
Telnet to port 25 and watch response to commands such as “RCPT TO”
log files: /var/log/mail.log and mail.err
restart server: sudo service postfix restart or reload

email