Use combined cert for postfix, dovecot, and znc

Fix CAcert usage in postfix and dovecot

roles/common/tasks/ssl.yml

@@ -7,5 +7,9 @@
 - name: Copy CA combined certificate into place
   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root
 
+- name: Create a combined version of the public cert with intermediate and root CAs
+  shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
+    /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
+
 - name: Enable Apache SSL module
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load

roles/ircbouncer/files/etc_ssl_znc-combined.pem

@@ -1,12 +0,0 @@
------BEGIN PRIVATE KEY-----
-TODO
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-TODO
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-TODO
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-TODO
------END CERTIFICATE-----

roles/ircbouncer/tasks/znc.yml

@@ -34,9 +34,6 @@
 - name: Copy znc init file into place
   copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
 
-- name: Copy znc combined SSL cert into place
-  copy: src=etc_ssl_znc-combined.pem dest=/etc/ssl/znc-combined.pem owner=znc group=znc
-
 # NOTE: you should probably just generate this using the directions above and then edit via the web panel
 #- name: Copy znc configuration file into place
 #  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc

roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2

@@ -14,7 +14,7 @@ LoadModule = lastseen
 MaxBufferSize = 500
 PidFile = /var/run/znc/znc.pid
 ProtectWebSessions = true
-SSLCertFile = /etc/ssl/znc-combined.pem
+SSLCertFile = /etc/ssl/certs/wildcard_combined.pem
 ServerThrottle = 30
 Skin = _default_
 StatusPrefix = *

roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf

@@ -9,7 +9,7 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/wildcard_public_cert.crt
+ssl_cert = </etc/ssl/certs/wildcard_combined.pem
 ssl_key = </etc/ssl/private/wildcard_private.key
 
 # If key file is password protected, give the password here. Alternatively
@@ -21,7 +21,7 @@ ssl_key = </etc/ssl/private/wildcard_private.key
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-ssl_ca = /etc/ssl/certs/wildcard_ca.pem
+#ssl_ca = /etc/ssl/ca.pem
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -38,9 +38,7 @@ unverified_recipient_reject_code = 554
 unverified_sender_reject_code = 554
  
 # TLS parameters
-smtp_tls_CAfile = /etc/ssl/certs/wildcard_ca.pem
-smtpd_tls_CAfile = /etc/ssl/certs/wildcard_ca.pem
-smtpd_tls_cert_file=/etc/ssl/certs/wildcard_public_cert.crt
+smtpd_tls_cert_file=/etc/ssl/certs/wildcard_combined.pem
 smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
 smtpd_use_tls=yes
 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
@@ -50,6 +48,7 @@ smtp_tls_security_level = may
 smtp_tls_loglevel = 2
 smtpd_tls_received_header = yes
 smtp_tls_note_starttls_offer = yes
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth