[[TranslatedPages]]
[[PageOutline]]
= How are X.509 certificates and key files handled on MOSH servers? =

[wiki:MOSH MOSH servers] are configured to provide apache, postfix and courier services on a single server.

All three programs rely on the same X.509 certificates and the same keys, however, they reference these keys in three different ways.

All MOSH servers should have the following files:

 * /etc/ssl/HOST.mayfirst.org.crt: contains both the X.509 End Entity (EE) certificate and any required intermediary certificates (server (EE) cert first, intermediary second)
 * /etc/ssl/private/HOST.mayfirst.org.pem: contains the key file, the EE certificate, and any required intermediary certificates (in that order)
 
These files are all symlinks to the actual files in the /etc/letsencrypt/live hierarchy.

On a new MOSH server [wiki:configure-mosh-x509 configured to use letsencrypt], puppet will generate all needed files and symlinks


= Service configuration =

 * courier: /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl:
{{{
TLS_CERTFILE=/etc/ssl/private/HOST.mayfirst.org.pem
}}}
 * apache: /etc/apache2/sites-available/HOST.mayfirst.org.ssl:
{{{
SSLCertificateFile=/etc/ssl/HOST.mayfirst.org.crt
SSLCertificateChainFile=/etc/ssl/HOST.mayfirst.org.crt
SSLCertificateKeyFile=/etc/ssl/private/HOST.mayfirst.org.pem
}}}
 * postfix: /etc/postfix/main.cf:
{{{
smtpd_tls_cert_file=/etc/ssl/HOST.mayfirst.org.crt
smtpd_tls_key_file=/etc/ssl/private/HOST.mayfirst.org.pem
}}}