Charles Marcus
2014-Apr-18 17:57 UTC
[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following dovecot config: ssl = required ssl_cert = </etc/ssl/ourCerts/imap.pem ssl_key = </etc/ssl/ourCerts/imap_key.pem Now, I've created new keys/certs and the CSR, got the new certs from RapidSSL (and also downloaded their Intermediate bundle), saved everything per their instructions, which say to reference them as follows: ssl = required ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt But my current config doesn't have the _file for the variable names, and the wiki doesn't use them, so I'm planning on setting these to: ssl = required ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt Anyone else ever used RapidSSL certs? Does this look correct? Thanks, Charles
Oscar del Rio
2014-Apr-18 19:28 UTC
[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
On 18/04/2014 1:57 PM, Charles Marcus wrote:> > > But my current config doesn't have the _file for the variable names, > and the wiki doesn't use them, so I'm planning on setting these to: > > ssl = required > ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt >http://wiki2.dovecot.org/SSL/DovecotConfiguration Note "Chained SSL certificates" section
Markus Schönhaber
2014-Apr-18 19:29 UTC
[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
18.04.2014 19:57, Charles Marcus:> Ok, been wanting to do this for a while, and I after the Heartbleed > fiasco, the boss finally agreed to let me buy some real certs... > > Until now, we've been using self-signed certs with the following dovecot > config: > > ssl = required > ssl_cert = </etc/ssl/ourCerts/imap.pem > ssl_key = </etc/ssl/ourCerts/imap_key.pem > > Now, I've created new keys/certs and the CSR, got the new certs from > RapidSSL (and also downloaded their Intermediate bundle), saved > everything per their instructions, which say to reference them as follows: > > ssl = required > ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt > > But my current config doesn't have the _file for the variable names, and > the wiki doesn't use them, so I'm planning on setting these to: > > ssl = required > ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt > > Anyone else ever used RapidSSL certs? Does this look correct?Yes. No. Aside from the missing indirection (use ... = </etc/... as you did before) the documentation indicates that ssl_ca is only used for client certificate verification and has nothing to do with the certificate chain of your server certificate. Instead, cat your new server certificate together with the CA certificates into one file and point ssl_cert to this file (see "Chained SSL certificates" in http://wiki2.dovecot.org/SSL/DovecotConfiguration ). -- Regards mks
Alessandro Menti
2014-Apr-18 19:32 UTC
[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Il 18/04/2014 19:57, Charles Marcus ha scritto:> Hi all, > > Ok, been wanting to do this for a while, and I after the Heartbleed > fiasco, the boss finally agreed to let me buy some real certs... > > Until now, we've been using self-signed certs with the following dovecot > config: > > ssl = required > ssl_cert = </etc/ssl/ourCerts/imap.pem > ssl_key = </etc/ssl/ourCerts/imap_key.pem > > Now, I've created new keys/certs and the CSR, got the new certs from > RapidSSL (and also downloaded their Intermediate bundle), saved > everything per their instructions, which say to reference them as follows: > > ssl = required > ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt > > But my current config doesn't have the _file for the variable names, and > the wiki doesn't use them, so I'm planning on setting these to: > > ssl = required > ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt > ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key > ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt > > Anyone else ever used RapidSSL certs? Does this look correct?Hi Charles, the RapidSSL documentation is wrong: 1) as you noted, you should use "ssl_cert" instead of "ssl_cert_file", and so on; 2) the file paths should be prefixed by "<", otherwise Dovecot will not read the files; 3) the "ssl_ca" setting is *not* used to make Dovecot reference intermediate certificates in the trust chain - it is used to specify trusted CAs in case you want to perform TLS client certificate authentication, which I suppose you do not want to do. You should: 1) make a backup copy of /etc/ssl/ourNewCerts/mail.ourdomain.com.crt; 2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of the file, paste the contents of /etc/ssl/ourNewCerts /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts /mail.ourdomain.com.crt should contain the certificate for mail.ourdomain.com and the intermediate RapidSSL certificate (in that order); 3) use the following settings: ssl = required ssl_cert = </etc/ssl/ourNewCerts/mail.ourdomain.com.crt # where "mail.ourdomain.com.crt" contains the two certificates as # explained above ssl_key = </etc/ssl/ourNewCerts/mail.ourdomain.com.key Hope this helps, Alessandro Menti
Stephan von Krawczynski
2014-Apr-19 07:14 UTC
[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
On Fri, 18 Apr 2014 13:57:47 -0400 Charles Marcus <CMarcus at Media-Brokers.com> wrote:> Hi all, > > Ok, been wanting to do this for a while, and I after the Heartbleed > fiasco, the boss finally agreed to let me buy some real certs...Well, I guess one has to tell you that: 1) No certs no matter if self-signed or not would have saved you from heartbleed. 2) "real certs" issued from cert-dealers are no more safe than your self-signed was. In fact they add the risk of your cert-dealter being hacked and you don't know. _This has happened_ already for at least one cert-dealer. So there is no proof at all that it will not happen again and this time probably nobody will be informed, because the company is dead afterwards (just like diginotar). In fact the whole cert business is a big fake currently. 3) The whole SSL stuff can only be made secure by implementing methods to authorize self-signed certs yourself and the clients using it being able to check that. Every checking by external "authorities" is just an uncontrollable security hole. -- Regards, Stephan