[Dovecot] question about changing certificate
Good day!
I'm having trouble changing certificate/keys for my dovecot(version 1.2.9). When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =)
Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped. As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem.
next I get from managesieve-login, pop3-login and imap-login the following log entries: Fatal: Can't load private key file /etc/ssl/private/dovecot.pem: Key is for a different cert than /etc/ssl/certs/dovecot.pem
some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key?
I'm pretty sure I'm just overlooking something completely obvious, but what? =)
greetings silvia
--
NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a
On 06/11/2012 08:28 AM, oni-neko@gmx.net wrote:
Good day!
I'm having trouble changing certificate/keys for my dovecot(version 1.2.9). When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =)
Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped. As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem.
Are both files identical, do they both contain the private key?
Why keep two copies of the same file? That's confusing. If you don't want to use separate files for the certificate and the private key then just concatenate them both in a single file, private key first, and make sure it's owned by root and readable by no one but root.
Then just point ssl_cert_file and ssl_key_file to the same file. That should be more clear and consistent.
Your file should look like this:
-----BEGIN PRIVATE KEY----- ....etc... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ....etc... -----END CERTIFICATE-----
Followed by any intermediate CA certificates that might be necessary.
some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key?
If there's no reference to this file in dovecot's configuration then dovecot isn't using it. Maybe someone else e.g. postfix, maybe someone used to use it.. does it matter? It doesn't look like this is the source of your trouble.
thank you for your answer!
-------- Original-Nachricht --------
Datum: Mon, 11 Jun 2012 15:39:39 -0400 Von: Gedalya gedalya@gedalya.net An: dovecot@dovecot.org Betreff: Re: [Dovecot] question about changing certificate
Are both files identical, do they both contain the private key?
umm, no, ok, I think I see at least part of the problem: I have only the certificate, but no key =/ durr, ok, that is way obvious as a problem.
next question: do I need the key to use the certificate or can I only use the certificate and leave the value of ssl_key_file empty?
thank you for answering my obviously quite, umm, uninformed questions =)
greetings silvia
--
NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a
next question: do I need the key to use the certificate or can I only use the certificate and leave the value of ssl_key_file empty? You certainly can't use the certificate without the key. And I guess dovecot needs ssl_key_file, unless it would be smart enough to figure it out for itself when you omit it. Either way, here is basically how it works. A certificate is not a secret, you in fact push it down to every connecting client. A certificate is something that identifies a server, and the private key is what makes it possible for you to demonstrate
On 06/13/2012 03:47 AM, oni-neko@gmx.net wrote: that you are the owner of the certificate. When a CA signs your certificate, you send them the public half of your key, and they make a certificate from it, and sign it, and that basically says: we were convinced that the entity that holds this key has a legitimate connection to this domain name. All that remains is for you to prove to the world that you are actually you = you are in possession of the private key. So, dovecot actually needs the key to do this mathematical magic every time a client connects.
participants (2)
-
Gedalya
-
oni-neko@gmx.net