[Dovecot] question about changing certificate
gedalya at gedalya.net
Mon Jun 11 22:39:39 EEST 2012
On 06/11/2012 08:28 AM, oni-neko at gmx.net wrote:
> Good day!
> I'm having trouble changing certificate/keys for my dovecot(version 1.2.9).
> When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =)
> Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped.
> As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem.
Are both files identical, do they both contain the private key?
Why keep two copies of the same file? That's confusing. If you don't
want to use separate files for the certificate and the private key then
just concatenate them both in a single file, private key first, and make
sure it's owned by root and readable by no one but root.
Then just point ssl_cert_file and ssl_key_file to the same file. That
should be more clear and consistent.
Your file should look like this:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Followed by any intermediate CA certificates that might be necessary.
> some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key?
If there's no reference to this file in dovecot's configuration then
dovecot isn't using it. Maybe someone else e.g. postfix, maybe someone
used to use it.. does it matter? It doesn't look like this is the source
of your trouble.
More information about the dovecot