Hi all,
Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs...
Until now, we've been using self-signed certs with the following dovecot config:
ssl = required ssl_cert =
Now, I've created new keys/certs and the CSR, got the new certs from RapidSSL (and also downloaded their Intermediate bundle), saved everything per their instructions, which say to reference them as follows:
ssl = required ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
But my current config doesn't have the _file for the variable names, and the wiki doesn't use them, so I'm planning on setting these to:
ssl = required ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
Anyone else ever used RapidSSL certs? Does this look correct? Hi Charles,
Il 18/04/2014 19:57, Charles Marcus ha scritto: the RapidSSL documentation is wrong:
- as you noted, you should use "ssl_cert" instead of "ssl_cert_file", and so on;
- the file paths should be prefixed by "<", otherwise Dovecot will not read the files;
- the "ssl_ca" setting is *not* used to make Dovecot reference intermediate certificates in the trust chain - it is used to specify trusted CAs in case you want to perform TLS client certificate authentication, which I suppose you do not want to do.
You should:
- make a backup copy of /etc/ssl/ourNewCerts/mail.ourdomain.com.crt;
- open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of the file, paste the contents of /etc/ssl/ourNewCerts /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts /mail.ourdomain.com.crt should contain the certificate for mail.ourdomain.com and the intermediate RapidSSL certificate (in that order);
- use the following settings: ssl = required ssl_cert =
where "mail.ourdomain.com.crt" contains the two certificates as
# explained above ssl_key =
Hope this helps, Alessandro Menti