/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism

Reindl Harald h.reindl at thelounge.net
Mon Feb 16 15:23:37 UTC 2015


Am 16.02.2015 um 15:53 schrieb dovecot at lists.killian.com:
> Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki:
>
> "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order:
>
>      Issuing CA cert
>      Issuing CA CRL
>      Intermediate CA cert
>      Intermediate CA CRL
>      Root CA cert
>      Root CA CRL"

that is how you can and should build your PEM files for *every* SSL 
aware software, Apache and Postfix are happy with exactly that format

i go even so far and include the CDHE and DHE params there which means 
in case of a recent httpd you can make DHE compatible which most clients 
even if your RSA certificate is 4096 Bit (read the hint about 2.4.7 or 
later at 
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile if 
you want to know why)

there is also no need to place that certs below /etc/dovecot at all nor 
have them readable for anybody but root, we have our wildcard 
certificate on a unique location synced to all servers offering SSL and 
again Dovecot, Postfix and Apache are happy to read the PEM root-only 
PEM files at startup and that's it

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150216/fbc85260/attachment.sig>


More information about the dovecot mailing list