Free wildcard cert manually

Letsencrypt started supporting wildcard certificate since version certbot 0.22.
These changes need to be applied to
1. certbot 0.22 on Ubuntu18. Ubuntu14 can only install certbot 0.14.2, which cannot do wildcard cert.
2. In addition to make a cert file as requested by Letsencrypt, DNS record are required to be created.
3. server need to be changed from acme-v01 to acme-v02. therefore the whole command becomes:
/usr/bin/certbot certonly –authenticator manual –server –text –email –csr riowingNet.csr –logs-dir . –config-dir . –work-dir .

Details on DSN verification:
Taking Google Domains as an example.
DNS TXT record name:
DNS TXT record value comes from the challenge, about 50 characters long
Propagation took over one hour in my case.
To verify:
openssl verify -verbose -CAfile <(cat 0000_chain.pem root.crt) riowingChainCertbot.crt
output: riowingChainCertbot.crt: OK
where: 0000_chain.pem is intermediate cert that sits between riowingChainCertbot and root.
To view:
certutil.exe -decode riowingChainCertbot.crt riowingChainCertbot.bin
certUtil.exe riowingChainCertbot.bin
Output includes: CN=* and CN=Let’s Encrypt Authority X3


Install web server nginx-1.9.15 supporting http/2.
Finding out http version of from remote client windows/WSL:
Curl: $ curl -sI –insecure -o/dev/null -w ‘%{http_version}\n’
output: 2
External tool:
type in
output: HTTP/2 protocol is supported. see attachment
F12 to bring up the DevTools window, and the network tab says H2.

Server side:
Build nginx, need to build from source code as http2 is not in default.
download source:
untar it and go to that folder.
$ ./configure –with-http_ssl_module –with-http_v2_module –add-module=../nginx-rtmp-module-master
I need nginx-rtmp for streaming
$ make this builds the binary objs/nginx
edit so that nginx.conf https has this line:
listen 443 ssl http2;
Most ubuntu meet minimum requirement: nginx 1.9.5 and TLS 1.2


Email out thru Gmail as domain is a public facing ec2 instance, over which I have full control.
When we ask gmail to send out an email as,
Gmail doesnt send out email with “MAIL FROM: <>”, even though it is capable.
Instead, gmail request host to send the email.
gmail requires TLS. use Cyrus SASL
SASL: Simple Authentication Security Layer
Cyrus SASL library implementation
Config SASL
Install: apt-get install sasl2-bin libsasl2-modules
Create credential: saslpasswd2 -c -u smtp
this create username smtp, enter password when prompted.
Notify Cyrus how to check password by editting /etc/postfix/sasl/smtpd.conf with:
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
Create certificate, self signed:
create keypair: openssl genrsa -des3 -out smtpRioWing.key 1024
create signing request: openssl req -new -key smtpRioWing.key -out smtpRioWing.csr
remove password: openssl rsa -in smtpRioWing.key.orig -out smtpRioWing.key
make cert: openssl x509 -req -days 3650 -in smtpRioWing.csr -signkey smtpRioWing.key -out smtpRioWing.crt
create .pem: cat smtpRioWing.crt smtpRioWing.key > smtpRioWing.pem
Config Postfix:
Edit /etc/postfix/ so that:
both smtpd_tls_cert_file and smtpd_tls_key_file point to /etc/postfix/smtpRioWing.pem

Edit /etc/postfix/ this opens up 587
submission inet n – n – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may was encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
sudo postfix reload
Security group on aws:
Make sure port 587 is listening: netstat -ltn |grep 587
Open it up.

Add to gmail account so that it appears as one option in From.
This is straighforward; just enter smtp domain name, user name and password.

Email by telnet to port 587 with “AUTH LOGIN” with base64 user name and password also works.


Customized email address

Goal: setup and forward to
done by MTA postfix

Domain server: point MX record to
OS: user rio must exist since is alias of
Email server: AWS EC2 named, Ubuntu18
Install postfix: apt-get install postfix
vi /etc/postfix/
add this line: myhostname =
virtual_alias_domains is not involved here since no virtual domain
vi /etc/aliases
add this line: me: rio
run this: sudo postmap /etc/postfix/virtual
create this file: sudo vi /etc/postfix/virtual
add this line:
run this: sudo newaliases
Check status:
#service postfix status
#netstat -ltnp | grep 25
contact AWS support to unblock outgoing port 25, which is blocked by default.
open incoming port 25 from security group.
Notes: IMAP and POP3 are not configured since emails are forwarded to gmail.
Telnet to port 25 and watch response to commands such as “RCPT TO”
log files: /var/log/mail.log and mail.err
restart server: sudo service postfix restart or reload