Changes between Version 11 and Version 12 of mosh-x509

Aug 15, 2016, 9:29:47 AM (4 years ago)
Jamie McClelland



  • mosh-x509

    v11 v12  
    1111 * /etc/ssl/ contains both the X.509 End Entity (EE) certificate and any required intermediary certificates (server (EE) cert first, intermediary second)
    1212 * /etc/ssl/private/ contains the key file, the EE certificate, and any required intermediary certificates (in that order)
    13  * /etc/ssl/ certificate signing request (CSR), used to request a new certificate when the existing one expires
     14These files are all symlinks to the actual files in the /etc/letsencrypt/live hierarchy.
    15 On a new server, puppet will generate a 2048-bit RSA key as /etc/ssl/private/ and /etc/ssl/ In addition /etc/ssl/ is created as a symlink to /etc/ssl/cert/ssl-cert-snakeoil.pem and /etc/ssl/private/ is a symlink to /etc/ssl/private/ssl-cert-snakeoil.key. These symlinks are created to ensure that services that rely on them are properly started.
     16On a new MOSH server [wiki:configure-mosh-x509 configured to use letsencrypt], puppet will generate all needed files and symlinks
    17 A sysadmin is required to submit the CSR to a [wiki:ordering-cartel-x509-certificates company that provides x509 certs]. Once the sysadmin has the certificate, s/he should replace the symlinked files with the appropriate files:
    18  * replace the /etc/ssl/ symlink with a file containing the actual certificate and any intermediary certificates
    19  * delete the /etc/ssl/private/ symlink
    20  * move /etc/ssl/private/ to /etc/ssl/private/
    21  * append both the certificate and any intermediary certificates to /etc/ssl/private/
    22  * restart apache2, postfix, courier-imap-ssl and courier-pop-ssl
    24 If, for some reason, the MOSH server is using a common name other than (e.g. is used instead of, then the files should be named after the common name ( and should be a symlink to the actual file. This naming convention helps us easily identify what common name the certificates should be presenting.
    2619= Service configuration =