dovecot - Feb 2015 - /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism

On 2015/2/16 16:28, Jochen Bern wrote:
> On 02/16/2015 04:23 PM, Reindl Harald wrote:
>>> "The CA file should contain the certificate(s) followed by the
>>> matching CRL(s). Note that the CRLs are required to exist. For a
>>> multi-level CA place the certificates in this order:
>>>
>>>      Issuing CA cert
>>>      Issuing CA CRL
>>>      Intermediate CA cert
>>>      Intermediate CA CRL
>>>      Root CA cert
>>>      Root CA CRL"
>>
>> that is how you can and should build your PEM files for *every* SSL
>                                                           ^^^^^^^
>> aware software
>
> NACK. I have set up CentOS 6 servers a little more than two years ago
> with that format used for dovecot and OpenVPN, including verification
> that the functionality was there. Last month we had a need to revoke a
> client's certs and it turned out that OpenVPN had silently stopped
> honoring the CRLs somewhere along the update path (dovecot still
> enforces them). I had to QuickFix the OpenVPN config from the above
> monolithic file over to a CApath
>
> https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#notes
>
> to successfully lock the disgraced client out.
>
> Regards,
> 								J. Bern
OpenVPN has --crl-verify that takes a file as well as a directory. I guess what
you're saying is that accepts, but silently ignores the CRLs if put in the
cert file.

It would be nicest if all the software wanted things configured things the same
way. Personally I like the way Dovecot does it, but having things be uniform
would be even better. From my quick survey, a lot of the programs (or at least
their documentation) doesn't support CRLs at all.

Postfix wants multiple certificates specified by different .cf entries (it
appears to not support CRLs--at least they aren't mentioned in
documentation):

    smtpd_tls_cert_file
    smtpd_tls_key_file
    smtpd_tls_dcert_file
    smtpd_tls_dkey_file
    smtpd_tls_eccert_file
    smptd_tls_eckey_file
    smtpd_tls_CAfile

Apache2.4 wants

    SSLCertificateFile
    SSLCertificateKeyFile

repeated multiple times for different cert types. Making it worse, Apache2.4.8
wants the whole cert chain in the above, but earlier versions wanted
SSLCertificateChainFile to have the non-leaf chain.

Courier IMAP SSL wants

    TLS_CERTFILE

specifying a file containing both the certificate and private key catenated.

OpenVPN wants

    ca certificate chain used for signing.pem
    cert certificate.pem
    key privatekey.pem
    crl-verify crl.pem

OpenLDAP appears similar to OpenVPN with (appears not to support CRLs):

    TLSCACertificatePath
    TLSCertificateFile
    TLSCertificateKeyFile

Racoon wants (appears not to support CRLs):

    certificate_type x509 certfile keyfile
    ca_type x509 ca.pem

But the man page doesn't talk about where the chain goes.

So it appears one should generate the following file formats to satisfy all the
software out there:
1. cert standalone (OpenVPN, Racoon, OpenLDAP, Postfix, Apache 2.4.7 and
earlier)
2. cert chain (Apache 2.4.8 and later)
3. cert ca crl chain (Dovecot)
4. ca chain (OpenVPN, Racoon?, OpenLDAP, Postfix, Apache 2.4.7 and earlier)
5. crl chain (OpenVPN)
6. cert, key catenation (Courier IMAP)

Getting all these configured the same way isn't going to happen, so I guess
the next best thing would be a cookbook. Anyone know of one?

-Earl