wiki:mosh-x509

How are X.509 certificates and key files handled on MOSH servers?

MOSH servers are configured to provide apache, postfix and courier services on a single server.

All three programs rely on the same X.509 certificates and the same keys, however, they reference these keys in three different ways.

All MOSH servers should have the following files:

  • /etc/ssl/HOST.mayfirst.org.crt: contains both the X.509 End Entity (EE) certificate and any required intermediary certificates (server (EE) cert first, intermediary second)
  • /etc/ssl/private/HOST.mayfirst.org.pem: contains the key file, the EE certificate, and any required intermediary certificates (in that order)

These files are all symlinks to the actual files in the /etc/letsencrypt/live hierarchy.

On a new MOSH server configured to use letsencrypt, puppet will generate all needed files and symlinks

Service configuration

  • courier: /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl:
    TLS_CERTFILE=/etc/ssl/private/HOST.mayfirst.org.pem
    
  • apache: /etc/apache2/sites-available/HOST.mayfirst.org.ssl:
    SSLCertificateFile=/etc/ssl/HOST.mayfirst.org.crt
    SSLCertificateChainFile=/etc/ssl/HOST.mayfirst.org.crt
    SSLCertificateKeyFile=/etc/ssl/private/HOST.mayfirst.org.pem
    
  • postfix: /etc/postfix/main.cf:
    smtpd_tls_cert_file=/etc/ssl/HOST.mayfirst.org.crt
    smtpd_tls_key_file=/etc/ssl/private/HOST.mayfirst.org.pem
    
Last modified 3 years ago Last modified on Aug 15, 2016, 9:29:47 AM