On 06/11/2012 08:28 AM, oni-neko@gmx.net wrote:
Good day!
I'm having trouble changing certificate/keys for my dovecot(version 1.2.9). When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =)
Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped. As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem.
Are both files identical, do they both contain the private key?
Why keep two copies of the same file? That's confusing. If you don't want to use separate files for the certificate and the private key then just concatenate them both in a single file, private key first, and make sure it's owned by root and readable by no one but root.
Then just point ssl_cert_file and ssl_key_file to the same file. That should be more clear and consistent.
Your file should look like this:
-----BEGIN PRIVATE KEY----- ....etc... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ....etc... -----END CERTIFICATE-----
Followed by any intermediate CA certificates that might be necessary.
some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key?
If there's no reference to this file in dovecot's configuration then dovecot isn't using it. Maybe someone else e.g. postfix, maybe someone used to use it.. does it matter? It doesn't look like this is the source of your trouble.