/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
Reindl Harald
h.reindl at thelounge.net
Mon Feb 16 15:23:37 UTC 2015
Am 16.02.2015 um 15:53 schrieb dovecot at lists.killian.com:
> Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki:
>
> "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order:
>
> Issuing CA cert
> Issuing CA CRL
> Intermediate CA cert
> Intermediate CA CRL
> Root CA cert
> Root CA CRL"
that is how you can and should build your PEM files for *every* SSL
aware software, Apache and Postfix are happy with exactly that format
i go even so far and include the CDHE and DHE params there which means
in case of a recent httpd you can make DHE compatible which most clients
even if your RSA certificate is 4096 Bit (read the hint about 2.4.7 or
later at
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile if
you want to know why)
there is also no need to place that certs below /etc/dovecot at all nor
have them readable for anybody but root, we have our wildcard
certificate on a unique location synced to all servers offering SSL and
again Dovecot, Postfix and Apache are happy to read the PEM root-only
PEM files at startup and that's it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150216/fbc85260/attachment.sig>
More information about the dovecot
mailing list