浏览代码

Use combined cert for postfix, dovecot, and znc

Fix CAcert usage in postfix and dovecot
Luke Cyca 11 年前
父节点
当前提交
ca8a371320

+ 4
- 0
roles/common/tasks/ssl.yml 查看文件

@@ -7,5 +7,9 @@
7 7
 - name: Copy CA combined certificate into place
8 8
   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root
9 9
 
10
+- name: Create a combined version of the public cert with intermediate and root CAs
11
+  shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
12
+    /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
13
+
10 14
 - name: Enable Apache SSL module
11 15
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load

+ 0
- 12
roles/ircbouncer/files/etc_ssl_znc-combined.pem 查看文件

@@ -1,12 +0,0 @@
1
------BEGIN PRIVATE KEY-----
2
-TODO
3
------END PRIVATE KEY-----
4
------BEGIN CERTIFICATE-----
5
-TODO
6
------END CERTIFICATE-----
7
------BEGIN CERTIFICATE-----
8
-TODO
9
------END CERTIFICATE-----
10
------BEGIN CERTIFICATE-----
11
-TODO
12
------END CERTIFICATE-----

+ 0
- 3
roles/ircbouncer/tasks/znc.yml 查看文件

@@ -34,9 +34,6 @@
34 34
 - name: Copy znc init file into place
35 35
   copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
36 36
 
37
-- name: Copy znc combined SSL cert into place
38
-  copy: src=etc_ssl_znc-combined.pem dest=/etc/ssl/znc-combined.pem owner=znc group=znc
39
-
40 37
 # NOTE: you should probably just generate this using the directions above and then edit via the web panel
41 38
 #- name: Copy znc configuration file into place
42 39
 #  template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc

+ 1
- 1
roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2 查看文件

@@ -14,7 +14,7 @@ LoadModule = lastseen
14 14
 MaxBufferSize = 500
15 15
 PidFile = /var/run/znc/znc.pid
16 16
 ProtectWebSessions = true
17
-SSLCertFile = /etc/ssl/znc-combined.pem
17
+SSLCertFile = /etc/ssl/certs/wildcard_combined.pem
18 18
 ServerThrottle = 30
19 19
 Skin = _default_
20 20
 StatusPrefix = *

+ 2
- 2
roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf 查看文件

@@ -9,7 +9,7 @@ ssl = required
9 9
 # dropping root privileges, so keep the key file unreadable by anyone but
10 10
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
11 11
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
12
-ssl_cert = </etc/ssl/certs/wildcard_public_cert.crt
12
+ssl_cert = </etc/ssl/certs/wildcard_combined.pem
13 13
 ssl_key = </etc/ssl/private/wildcard_private.key
14 14
 
15 15
 # If key file is password protected, give the password here. Alternatively
@@ -21,7 +21,7 @@ ssl_key = </etc/ssl/private/wildcard_private.key
21 21
 # PEM encoded trusted certificate authority. Set this only if you intend to use
22 22
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
23 23
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
24
-ssl_ca = /etc/ssl/certs/wildcard_ca.pem
24
+#ssl_ca = /etc/ssl/ca.pem
25 25
 
26 26
 # Require that CRL check succeeds for client certificates.
27 27
 #ssl_require_crl = yes

+ 2
- 3
roles/mailserver/templates/etc_postfix_main.cf.j2 查看文件

@@ -38,9 +38,7 @@ unverified_recipient_reject_code = 554
38 38
 unverified_sender_reject_code = 554
39 39
  
40 40
 # TLS parameters
41
-smtp_tls_CAfile = /etc/ssl/certs/wildcard_ca.pem
42
-smtpd_tls_CAfile = /etc/ssl/certs/wildcard_ca.pem
43
-smtpd_tls_cert_file=/etc/ssl/certs/wildcard_public_cert.crt
41
+smtpd_tls_cert_file=/etc/ssl/certs/wildcard_combined.pem
44 42
 smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
45 43
 smtpd_use_tls=yes
46 44
 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
@@ -50,6 +48,7 @@ smtp_tls_security_level = may
50 48
 smtp_tls_loglevel = 2
51 49
 smtpd_tls_received_header = yes
52 50
 smtp_tls_note_starttls_offer = yes
51
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
53 52
 
54 53
 smtpd_sasl_type = dovecot
55 54
 smtpd_sasl_path = private/auth

正在加载...
取消
保存