[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Alessandro Menti alessandro.menti at hotmail.it
Fri Apr 18 19:32:29 UTC 2014 

Il 18/04/2014 19:57, Charles Marcus ha scritto:
> Hi all,
>
> Ok, been wanting to do this for a while, and I after the Heartbleed
> fiasco, the boss finally agreed to let me buy some real certs...
>
> Until now, we've been using self-signed certs with the following dovecot
> config:
>
> ssl = required
> ssl_cert = </etc/ssl/ourCerts/imap.pem
> ssl_key = </etc/ssl/ourCerts/imap_key.pem
>
> Now, I've created new keys/certs and the CSR, got the new certs from
> RapidSSL (and also downloaded their Intermediate bundle), saved
> everything per their instructions, which say to reference them as follows:
>
> ssl = required
> ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
> ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
> ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
>
> But my current config doesn't have the _file for the variable names, and
> the wiki doesn't use them, so I'm planning on setting these to:
>
> ssl = required
> ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
> ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
> ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
>
> Anyone else ever used RapidSSL certs? Does this look correct?
Hi Charles,
the RapidSSL documentation is wrong:
1) as you noted, you should use "ssl_cert" instead of "ssl_cert_file",
    and so on;
2) the file paths should be prefixed by "<", otherwise Dovecot will not
    read the files;
3) the "ssl_ca" setting is *not* used to make Dovecot reference
    intermediate certificates in the trust chain - it is used to specify
    trusted CAs in case you want to perform TLS client certificate
    authentication, which I suppose you do not want to do.

You should:
1) make a backup copy of /etc/ssl/ourNewCerts/mail.ourdomain.com.crt;
2) open /etc/ssl/ourNewCerts/mail.ourdomain.com.crt and, at the end of
    the file, paste the contents of /etc/ssl/ourNewCerts
    /RapidSSL_Intermediate.crt; in the end, /etc/ssl/ourNewCerts
    /mail.ourdomain.com.crt should contain the certificate for
    mail.ourdomain.com and the intermediate RapidSSL certificate (in
    that order);
3) use the following settings:
ssl = required
ssl_cert = </etc/ssl/ourNewCerts/mail.ourdomain.com.crt
# where "mail.ourdomain.com.crt" contains the two certificates as
# explained above
ssl_key = </etc/ssl/ourNewCerts/mail.ourdomain.com.key

Hope this helps,
Alessandro Menti

More information about the dovecot mailing list