BigSmoke

Smokes your problems, coughs fresh air.

Tag: ssl

Generating an SSL CSR and key

May 10, 2012 /

To generate an SSL certificate signing request (CSR) with key you can do this:

openssl req -nodes -newkey rsa:2048 -keyout bla.key -out bla.csr

This syntax does not force you to supply a password, which is convenient.

If you generate a CSR for startcom, you don’t have to fill in any fields; only the public key from the CSR is used. For other vendors, the common name is important; the domain name must be entered there.

Installing a commercial SSL certificate in Zimbra

April 12, 2011 /

Edit: now in 2020, with Zimbra 8, and Startcom out of business, things have changed a bit. So, here are the steps now, for a Sectigo certificate (and referring to their directory structure):

  • Copy ‘Linux/mail.example.com.ca-bundle’ to ‘/tmp/ca_bundle.crt’. Run ‘chown zimbra:zimbra /tmp/ca_bundle.crt’. (the name of the file suggests that your certificate is in the bundle, but it’s just the authority’s)
  • Copy ‘mail.example.com.crt’ to ‘/tmp/ssl.crt’ and run ‘chown zimbra:zimbra /tmp/ssl.crt’
  • Copy ‘mail.example.com.key’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ and ‘chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key’
  • ‘su – zimbra’ and then ‘/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt’
  • A restart may not even be necessary. My monitoring already started alerting me about the recovery before hand, but just in case, also as user zimbra: ‘zmcontrol stop && zmcontrol start’

Old post:

I installed a commercial (free) SSL certificate from Startcom SSL in Zimbra. I basically followed this, except the java keytool thing. I don’t know why that is necessary… I did this on Zimbra 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition.

  • Download the ca.pem and sub.class1.server.ca.pem (the CA for the free class 1 validation) to /tmp/
  • Cat the CA certs to form a single CA certificate chain file: cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt
  • Place server certificate in /tmp/ssl.crt.
  • Place the private key in /opt/zimbra/ssl/zimbra/commercial/commercial.key
  • Deploy the commercial certificate with zmcertmgr as the root user: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
  • Restart zimbra: su zimbra, then zmcontrol stop && zmcontrol start

Enabling authentication and SSL for Postfix on Debian

September 20, 2010 /

I used this document as main source. This blogpost is also useful.

First install libsasl2 and configure it. Enable it in /etc/default/sasl.

First make the sasl config file in /etc/postfix/sasl which says: 

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way): 

# According to official docs, this should be in one pem file.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# This should be smtp_tls_security_level = may, because use_tls is deprecated.
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# I don't know if this one is also needed.
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. 
smtpd_tls_auth_only=yes

Then enable the three smtps lines in master.cf: 

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd: 

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
# Add user postfix to group sasl
adduser postfix sasl

Then you should be good to go. Start all daemons.

Changing an apache virtual host to ssl

September 7, 2010 /

To change a virtual host in apache to ssl: 

#Redirect all normal traffic to the https site.
<VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
</VirtualHost>
 
# This virtual host was *:80 first
<VirtualHost *:443>
   DocumentRoot /bla
   # If I don't specify this, nagios's check_ssl_cert doesn't work.
   ServerName www.joho.com
 
   # These lines were added to make it SSL
   SSLEngine on
   SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
   # if you have an official certificate, also add some of these:
   SSLCertificateChainFile /etc/ssl/certs/bla
 
   <Directory /bla>
      Order allow,deny
      Allow from all
      AllowOverride None
      Options -MultiViews FollowSymlinks Indexes
   </Directory>
 
</VirtualHost>

Generating key and certificate for courier-imap

September 4, 2010 /

To create a self-signed certificate for courier-imap: 

openssl req -new -x509 -days 3650 -nodes -out imapd.pem -keyout imapd.pem

This will create a pem file with key and certificate in it. When asked for the common-name, enter the FQDN.

Don’t forget to specify the maildir path correctly in the imapd-ssl config file, as well as some other config parameters that are duplicated for imapd-ssl.

source.

Copyleft: These days everything you can think of is copyrighted, patented, protected or otherwise made into someone's imaginary intellectual property. I have a lot of imagination but not enough to pretend that I have some divine right to share things with you without giving you the right to share it further. That would be childish. So, everything here is licensed under a Creative Commons Attribution-Noncommercial-Share Alike license. That means that you can bloody well do anything you like with my content as long as you tell that it's from me (or the respective author). Only if you want to make money from my content do you have to ask me permission first. (As if I could be bothered to sue.) Oh, and you can't redistribute your derivative content under more restrictive terms. Share the love.

Colophon: This weblog is powered by a WordPress installation running on PHP5 and MySQL, hosted by NearlyFreeSpeech.Net's outstanding FreeBSD hosting platform. The markup for this WP theme is my own and should usually validate as some sort of XHTML concoction. So should the CSS. I've actually blogged about this theme.

© 2022 BigSmoke

Theme by Anders NorenUp ↑