TLS setup for apache and postfix mail
1 TLS (Transport Layer Security)
Was called SSL (secure sockets layer)
Uses public key cryptography. Latest version is TLS 1.3 (Aug 2018)
1.1 Overview
1.2 .pem .csr .key encodings and files
They are different ways to encode Abstract Syntax Notation 1 (ASN.1)
formatted data, which is the format x509
certificates are defined in, in
machine readable ways.
1.2.1 .csr
Certificsate Signing Request. These files are generated and then submitted
to a certificate authority (CA)
so they can sign it
. .csr
files are in PKCS10
format, defined in RFC 2986
. These files contain key details
of the
requested certificate, including subject, organization, province, etc. And
of course contain the public key of the certificate to get signed
.
Once the CA signs the
.csr
, they return it to the owner. That becomes the,
now signed, public certificate. Notice that these public certificates
do
not contain the private key.
1.2.2 .pem
A container format, Privacy Enhanced Mail, PEM, defined in RFC1422
. This
format is compatible with x.509
authentication framework. .pem
files may
contain just the public certificate
, or the entire certificate chain,
including the public key
, private key
, and root certificates
.
Note that .pem for secure mail was a failed effort, but the .pem
format has
survived in use with certificates.
1.2.3 .key
Usually a .pem
formatted file containing just the private key of a specific
certificate. .key
file type, is merely a naming convention and not a
standard.
For Apache
the .key
files are usually in /etc/ssl/private
directory. For
nginx
check out this nginx.com blog
Private keys must be protected, so must have permissions set to 600
1.2.4 convert a .ppk key to a .pem key
puttygen mykey.pem -o mykey.ppk
You may have to install puttygen
first.
2 Certificate, Intermediate Certificates and Private Keys
Certificates
are public keys that have been signed
by a CA. They are usually
in the .pem
format. For example, 5cbe368af39baf50.pem
but once signed by the CA
they get a .crt
ending, or a cert
ending, usually crt
.
On RHEL servers they are usually in /etc/pki/tls/certs
but check the config
file, /etc/pki/tls/openssl.cnf
for xxx to see if that location has been overriden.
/etc/pki/tls/5cbe368af39baf50.crt /etc/pki/tls/gd_bundle-g2-g1.crt /etc/pki/tls/ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/tls/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
2.1 Public keys
As mentioned above the public key
is what is sent to the CA to be signed.
The CA verifies the details of your public key and verify you have rights
to it (could be by verifying an email with your private key, while they are
talking to you over the phone) Once that is verified they will themselves
sign your public key
with their public key. This signed p*ublic key
is what
becomes your server's or your domain's public certificate.
People can now trust your server, because your server's public key has been signed by this CA, which they can verify, by checking the signature of the certificate authority.
2.1.1 public key in /etc/pki/tls/certs
On CentOS / Almalinux you will find your public keys (aka certificates) here.
2.1.2 private key in /etc/pki/tls/private
On CentOS / Almalinux you will find your private keys here.
3 CA (Certificate Authority)
3.1 openssl.cnf config file
In the /etc/pki/tls/openssl.cnf
file there are some CA config lines:
#################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options
My host did NOT have a CA
directory. ? Is that because I dont' intend to be
a CA?
3.1.1 TODO figure this out
3.2 CA root certs setup
You need to tell your server, where the set of root certificates reside.
These are the CA root servers, and should be listed in /etc/ssl/certs
If your openssl
isn't set up to automatically use an installed set of root
certificates
(e.g. in /etc/ssl/certs for non-RHEL systems
), then you can use
-CApath
or -CAfile
to specify the CA.
My Almalinux server has /etc/ssl/certs
symlinked to /etc/pki/tls/certs
.
However, nothing else in /etc/ssl
including no openssl.cnf
file
Rather, that was in /etc/pki/tls/openssl.conf
4 openssl commands
openssl command [command options] [command args]
openssl list <command group>
where command group is one of :
- standard-commands
- digest-commands
- cipher-commands
- cipher-algorithms
- digest-algorithms
- public-key-algorithms
There are also lots of sub-commands, such as openssl-x509
4.1 Many sub-commands have their own config files
specified with the -config
option. See OPENSSLCONF env. variable to see
which file is being used.
There are How-to Guides
availabe on https://www.openssl.org/docs/ that I read.
Also use man crypto
, available on Linux.
Some useful commands dealing with certs are part of openssl. See man openssl
for a complete list, but here are some most useful examples:
openssl command [command options] [command args]
5 openssl sclient (standard command)
First set of commands are the s_client
commands, that implements a generic
*ssl client. The client establishes a transparent connection to a remote
server using SSL/TLS
5.1 Check a certificate for a web server.
openssl s_client -connect zintis.net:80 -showcerts
openssl s_client -connect zintis.net:80 -showcerts
openssl s_client -connect zintis.net:443 -showcerts
5.2 Test connectivity to an HTTPS service
openssl s_client -connect acme.server.com:443
openssl s_client -connect acme.server.com:443 -brief
echo | openssl s_client -connect acme.server.com:443 -brief
echo | openssl s_client -connect acme.server.com:443 -brief
echo | openssl s_client -connect www.zintis.net:443 -brief
5.3 Piping two openssl commands
echo | openssl s_client -connect redhat.com:443 2>/dev/null | openssl x509 -noout -dates
This will take the output of the -connect command and check out the x509
exiration dates. This is a common technique, where you use the s_client
to
connect to a SSL/TLS
server, download the cert, then analyze it with
openssl x509
or other openssl commands.
5.4 Force TLSv1 and DTLSv1
openssl s_client -connect acme.server.com:443 -tls1
openssl s_client -connect acme.server.com:443 -dtls1
5.5 Force a specific cipher
openssl s_client -connect acme.server.com:443 -cipher DHE-RSA-AES256-SHA
6 show version
openssl version -a
7 openssl genpkey (standard command)
7.1 Create/generate a public/private key pair
Generate two files, 1) a private-key file
that will be used to generate a CSR
and later, to secure and verify connections using my certificate, and 2) a
Certificate Signing Request (CSR) file
, that is used to order my SSL certificate
from my CA, and later used by web clients to encrypt their messages that only I
can decypher (because only I have my private key.)
openssl req -new -newkey rsa:2048 -nodes -keyout acme.com.key -out acme.com.csr
openssl req -new -newkey rsa:2048 -nodes -keyout acme.com.key -out acme.com.csr
openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr
To create a self-signed PEM file:
openssl req -new -newkey rsa:2048 -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
From microfocus.com:
7.2 Create a Larger Diffie-Hellman Prime
By default openssl will generate a prime 1024 or 2048 bits in length. You
can increase the length of the DH prime, using this command:
less - openssl genpkey -genparam -algorithm DH -out dhparam4096 -pkeyopt dh_paramgen_prime_len:4096
Note, that genpkey --genparam
supercedes the older dhparam
command.
Then you can add this to your nginx.conf file, in the server block:
ssl_dhparam /etc/pki/tls/certs/dhparam4096
7.3 How to create a PEM file from existing certificate files that form a chain
Often you combine your certificate, with the signing authority certificate, and the root certificate. They should be in that order, i.e.:
Primary
certificate - www.zintis.net.crtIntermediate
Certificate - godaddy.com.crtRoot
Certificate - TrustedRoot.crt
This can be done simnply using cat one.crt two.crt three.crt >> bundled.crt
The bundled.crt file should look something like this:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
- (optional) Remove the password from the Private Key by following the steps listed below:
openssl rsa -in server.key -out nopassword.key
Note: Enter the pass phrase of the Private Key.
- Combine the private key, public certificate and any 3rd party intermediate certificate files:
cat nopassword.key > server.pem
cat server.crt >> server.pem
Note: Repeat this step as needed for third-party certificate chain files, bundles, etc: cat intermediate.crt >> server.pem
7.4 CA signs the CSR and returns a CRT file
7.5 This matches the private .key file
You should already have a private key from the openssl req
command. Chmod to
400 as root
, so that it is safe, and take a backup as well. Without your key
the certificate is useless.
8 openssl x509 or rsa commands
Used to check out certificate files, whether x509 or rsa.
8.1 Check a certificate of a local file.
openssl x509 -in 4abe36dee147d6a4.crt -text -noout
openssl x509 -in 4abe36dee147d6a4.crt -text -noout
openssl x509 -in 4abe36dee147d6a4.crt -text -noout
8.2 Check a key
openssl rsa -in acme.com.key -check
openssl rsa -in acme.com.key -check
openssl rsa -in acme.com.key -check
8.3 One-liner to verify a certificate chain
Here is one-liner to verify a certificate chain:
openssl verify -verbose -x509_strict -CAfile ca.pem -CApath nosuchdir cert_chain
8.4 Check a CSR
(You can verify the CSR and see the data filled in when it was generated)
openssl req -text -in acme.com.key -noout -verify
openssl req -text -in acme.com.key -noout -verify
8.5 Print md5 checksums of certificate and key
openssl x509 -noout -modulus -in acme.com.crt | openssl md5
openssl x509 -noout -modulus -in acme.com.crt | openssl md5
openssl rsa -noout -modulus -in acme.com.key | openssl md5
openssl rsa -noout -modulus -in acme.com.key | openssl md5
8.6 Check a pem local file:
openssl x509 -in email-ca-bundle.pem -text -noout
openssl x509 -in tls-ca-bundle.pem -text -noout
openssl x509 -in gd_bundle-g2-g1.crt -text -noout
These files were in /etc/pki/ca-trust/
and subdirectories.
Use the command openssl x509 -in 4abe36dee147d6a4.crt -text -noout
zintis@zintis.net /etc/pki/tls/certs[1034]: $ openssl x509 -in 4abe36dee147d6a4.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5385802535271913124 (0x4abe36dee147d6a4) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2 Validity Not Before: Apr 27 17:21:29 2021 GMT Not After : May 29 17:21:29 2022 GMT Subject: OU = Domain Control Validated, CN = zintis.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a9:3e:6a:26:5b:f3:eb:89:ed:f9:c7:c9:ee:48: a0:62:bc:7a:bc:33:a4:2f:c3:74:e4:43:cf:37:6a: 52:c9:b0:66:e7:90:9c:a2:b1:3a:4b:13:1a:79:3b: 10:4c:d4:0e:e6:64:a5:20:8c:a6:18:a8:fb:ec:c2: 2a:4e:38:cd:43:dc:79:34:d0:01:40:b8:d9:2a:4f: e5:a1:7f:9d:04:f0:79:22:e2:f2:2d:be:47:5b:29: ff:2d:14:a4:db:a3:35:d1:de:08:40:d4:4a:03:e6: 0d:c9:ff:d4:fa:df:d0:7d:1a:f8:48:ee:4e:c5:90: 9e:43:c7:32:33:e5:6b:61:d3:87:b0:30:3f:e1:a2: 8f:24:f1:58:bc:d2:74:96:a8:8b:6c:0d:e9:2e:1f: af:2f:36:70:a4:40:aa:ab:c3:d6:ca:b2:98:2c:d7: 5e:94:aa:99:0f:e7:80:9c:a3:45:e4:dc:21:20:49: e8:c5:58:3b:c4:40:7f:bf:0f:0e:c7:f0:b4:52:5e: 7b:50:45:2c:0d:5b:ff:ff:d1:08:a1:8d:31:63:3e: b3:ec:4c:12:76:aa:8a:c4:2a:a9:b6:1f:c2:67:4a: ae:8d:5b:0c:24:3c:d4:af:b0:86:16:90:55:f3:da: b3:00:79:0c:5f:dd:31:c2:ed:75:85:67:d6:9e:eb: 4e:5b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 CRL Distribution Points: Full Name: URI:http://crl.godaddy.com/gdig2s1-2903.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114413.1.7.23.1 CPS: http://certificates.godaddy.com/repository/ Policy: 2.23.140.1.2.1 Authority Information Access: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt X509v3 Authority Key Identifier: keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE X509v3 Subject Alternative Name: DNS:zintis.net, DNS:www.zintis.net X509v3 Subject Key Identifier: F3:93:BD:51:40:11:25:73:C6:EA:6F:40:F3:AE:0C:B1:DA:8C:20:02 CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Apr 27 17:21:30.636 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:55:A8:71:9A:2F:A1:36:90:FB:A7:32:C1: 14:E8:65:E9:F8:2A:24:EB:C2:2F:35:E9:61:35:E3:B6: C2:35:CA:80:02:21:00:9C:D3:92:A8:FD:0F:E9:D5:28: A5:DC:A6:88:D3:25:0E:0F:EC:91:B2:DB:16:88:20:DC: F7:7A:61:75:9B:41:3C Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86: E0:23:26:63:AD:C0:4B:7F:5D:C6:83:5C:6E:E2:0F:02 Timestamp : Apr 27 17:21:30.672 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:B0:DD:1F:38:52:2D:E9:4B:CB:80:50: ED:C0:B2:1A:81:C4:89:4A:5C:69:1D:29:39:95:3E:E9: FC:9E:6D:CE:B1:02:21:00:D3:95:28:F9:A7:28:53:E5: 00:62:76:F2:DD:AF:75:F2:98:A6:F1:2B:C9:4A:55:B4: FD:FE:25:A5:B1:6D:A9:F5 Signature Algorithm: sha256WithRSAEncryption 77:d7:88:94:30:ac:22:c4:3a:c2:6f:d8:c3:97:a6:64:45:4e: ee:7c:a8:c6:63:75:a5:d8:d2:2a:f0:de:ad:c7:86:8f:6a:d8: 2e:50:df:e6:38:f8:b6:86:04:f2:4a:05:81:a5:1c:c7:39:79: 95:81:e9:e2:8b:83:f4:dc:7f:06:a7:67:04:b0:3d:2a:9e:8d: f6:9b:59:01:ff:35:47:a9:98:13:4a:71:c1:59:bc:2d:61:2c: e3:80:ed:01:e1:02:3b:3c:cd:80:12:20:79:75:18:8c:c8:02: b0:aa:19:f8:9d:48:91:dd:d5:e6:c8:54:67:e6:59:a8:f0:d0: 1a:99:a1:64:7c:8d:69:ca:33:87:73:1f:6d:07:c4:02:f9:21: 18:74:33:f3:c4:58:ab:6b:b9:7d:28:54:e1:e0:f4:67:21:a8: 50:e0:3b:4f:22:a7:63:3c:db:e8:77:dc:1f:09:c8:95:b9:09: e8:ba:18:eb:92:a3:9f:8e:55:38:85:c9:af:a5:d9:75:02:c6: a6:61:92:31:10:31:6d:b6:3a:88:01:a2:b8:5a:78:5e:9f:18: f4:1b:67:82:6f:01:5d:bc:01:4a:26:be:2d:32:37:50:e7:7a: 44:90:db:60:c6:69:a1:eb:5b:9f:5b:0f:b9:27:76:80:e0:d0: ae:8a:a9:c1
8.7 Generate a Key pair
openssl genrsa -out acme.com.key 2048
This generates your private key in the current directory, in a file named "acme.com.key". It uses the RSA algorithm, and generates a key of 2048 bits. It will be in apem
format.
9 Examples from OPS335 vms
These keys are on vm2, not on vm1!! Actually vm1, vm2, and vm3 each have their OWN keys configured. (or should anyway)
mkdir -p /root/postfix-keys /etc/ssl/{private,certs} cd /root/postfix-keys openssl genrsa -des3 -out vm2.zintis.ops.key 2048 openssl genrsa -des3 -out vm2.zintis.ops.key 2048 chmod 600 vm2.zintis.ops.key
Now sign the key you just created to create a certificate ? Or is this actually created the public key certificate from the private key only?
root@vm2 ~/postfix-keys [1008]$ openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr Enter pass phrase for vm2.zintis.ops.key: zilaislakatinsMT Zilaislakatinsmt dodman You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:Ontario Locality Name (eg, city) [Default City]:Toronto Organization Name (eg, company) [Default Company Ltd]:zintis.ops Organizational Unit Name (eg, section) []:ops335 Common Name (eg, your name or your server's hostname) []:vm2 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: root@vm2 ~/postfix-keys [1009]$
Now I have vm2.zintis.ops.key and vm2.zintis.ops.csr We can now sign the csr and output to a temporary file crt
root@vm2 ~/postfix-keys [1010]$ openssl x509 -req -days 365 -in vm2.zintis.ops.csr -signkey vm2.zintis.ops.key -out vm2.zintis.ops.crt openssl x509 -req -days 365 -in vm2.zintis.ops.csr -signkey vm2.zintis.ops.key -out vm2.zintis.ops.crt Signature ok subject=C = CA, ST = Ontario, L = Toronto, O = zintis.ops, OU = ops335, CN = vm2 Getting Private key Enter pass phrase for vm2.zintis.ops.key: root@vm2 ~/postfix-keys [1011]$
Now we have three files, .key .csr and .crt (the temporary one) Trying to create a version of my key that has a null password? It looks like it:
openssl rsa -in vm2.zintis.ops.key -out vm2.zintis.ops.key.nopass openssl rsa -in vm2.zintis.ops.key -out vm2.zintis.ops.key.nopass Enter pass phrase for vm2.zintis.ops.key: zilaislakatinsMT writing RSA key root@vm2 ~/postfix-keys [1015]$
Now a fourth file, .key.nopass which I will mv to replace the .key file from which
this was created. mv vm2.zintis.ops.key.nopass vm2.zintis.ops.key
Finally create a new key, "cakey.pem" and a "cacert.pem" that's good for 10 years
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 Generating a RSA private key ..................................................................................+++++ ...........................................+++++ writing new private key to 'cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: xxxxxxxxxxxxxxxxx # this was a new password. ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:Ontario Locality Name (eg, city) [Default City]:Toronto Organization Name (eg, company) [Default Company Ltd]:zintis.ops Organizational Unit Name (eg, section) []:OPS335 Common Name (eg, your name or your server's hostname) []:vm2 Email Address []:zintis@zintis.ops Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:XXXXXXXX An optional company name []:Seneca
Now protect the files, and copy them to the /etc/ssl directories.
chmod 600 vm2.zintis.ops.key _cakey.pem_ cp vm2.zintis.ops.key cakey.pem /etc/ssl/private cp vm2.zintis.ops.crt cacert.pem /etc/ssl/certs
10 GoDaddy instructions to install certificates to nginx
From this link: ca.godaddy.com I got these instructions to install a certificate to my nginx server:
- Connect to your server via SSH.
- Create a directory to store the server key, certificate, and intermediate bundle.
sudo mkdir /etc/nginx/ssl
- Copy your private key which was created when you generated your CSR to the ssl folder
cp coolexample.key /etc/nginx/ssl
- SFTP to your server, and upload your SSL certificate and intermediate bundle to the /etc/nginx/ssl folder.
- Navigate to the SSL folder in SSH.
cd /etc/nginx/ssl
- Combine your SSL certificate and the intermediate bundle into one file using the concatenate command. Since your intermediate certificate and root certificate come in a bundle, you can use the following SSH command:
sudo cat f84e19a2f44c6386.crt gd_bundle-g2-g1.crt >> coolexample.crt
Note:The certificates have to be listed in this order with the concatenate command or the SSL will not work properly on your server.
- Open your NGINX config file for the domain you're installing the SSL certificate to.
sudo vim /etc/nginx/sites-available/coolexample.com
- Update the config file to use the SSL certificate.
server { listen 80; server_name coolexample.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name coolexample.com; ssl_certificate /etc/nginx/ssl/coolexample.crt; ssl_certificate_key /etc/nginx/ssl/coolexample.key; root /usr/share/nginx/coolexample.com/; index index.php index.html index.htm; }
- Save the config file.
10_ Restart your NGINX server.
sudo service nginx restart
or bettersudo systemctl restart nginx
10.1 Similar instructions for apache TLS
From ca.godaddy.com again. This time for apache server.
11 Continuing with configuration of postfix:
add this to postfix main.cf file
# Settings to enable secure SMTP using my self-signed certificate: smtpd_tls_auth_only = no smtpd_use_tls = yes smtp_use_tls = yes smtpd_tls_key_file = /etc/ssl/private/vm2.zintis.ops.key smtpd_tls_cert_file = /etc/ssl/certs/vm2.zintis.ops.crt was /etc/pki/tls/certs/postfix.pem smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem tls_random_source = dev:/dev/urandom smtpd_tls_loglevel = 1 shlib_directory = /usr/lib64/postfix
11.1 From another post:
Set your mail server settings, and set enableinstaller to enable the setup wizard: (this for if your postfix and dovecot is all on the same server)
#+BEGINSRC python /etc/webapps/roundcubemail/config/config.inc.php $config['dbdsnw'] = 'mysql://roundcube:****@localhost/roundcubemail'; $config['defaulthost'] = 'tls://localhost'; // IMAP host $config['smtpserver'] = 'tls://localhost'; $config['smtpport'] = 587; $config['deskey'] = 'someawesomelongsemirandomstring'; $config['enableinstaller'] = true;
11.2
#+ENDSRC
11.3 Files
From the above, it appears that muy certificate (a.k.a. public key) is stored in
/etc/ssl/certs/vm2.zintis.ops.crt
And my private key is stored in :
/etc/ssl/private/vm2.zintis.ops.key
See also /usr/share/ca-certificates
12 With the above I was getting this error:
root@vm2 /etc/ssl/certs [1127]$ Aug 7 14:36:49 vm2 postfix/smtpd[2175]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 14:36:49 vm2 postfix/cleanup[2178]: 456AE4592B1: message-id=<20200807183649.456AE4592B1@vm2.zintis.ops> Aug 7 14:36:49 vm2 postfix/qmgr[2171]: 456AE4592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active) Aug 7 14:36:49 vm2 postfix/smtpd[2175]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3 Aug 7 14:36:49 vm2 postfix/smtp[2180]: 456AE4592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.18, delays=0.03/0.02/0.11/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3CB3ECA2147) Aug 7 14:36:49 vm2 postfix/qmgr[2171]: 456AE4592B1: removed Aug 7 14:55:19 vm2 postfix/postfix-script[2232]: stopping the Postfix mail system Aug 7 14:55:19 vm2 postfix/master[2169]: terminating on signal 15 Aug 7 14:55:19 vm2 postfix/postfix-script[2310]: starting the Postfix mail system Aug 7 14:55:19 vm2 postfix/master[2312]: daemon started -- version 3.3.1, configuration /etc/postfix Aug 7 14:56:01 vm2 postfix/smtpd[2320]: warning: cannot get RSA private key from file "/etc/ssl/private/vm2.zintis.ops.key": disabling TLS support Aug 7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:543:while reading strings: Aug 7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59: Aug 7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:crypto/pem/pem_lib.c:434: Aug 7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:556: Aug 7 14:56:01 vm2 postfix/smtpd[2320]: connect from c8host.zintis.ops[192.168.111.1] Aug 7 14:56:01 vm2 postfix/cleanup[2323]: DE9404592B1: message-id=<20200807185601.DE9404592B1@vm2.zintis.ops> Aug 7 14:56:01 vm2 postfix/qmgr[2314]: DE9404592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active) Aug 7 14:56:01 vm2 postfix/smtpd[2320]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3 Aug 7 14:56:02 vm2 postfix/smtp[2325]: DE9404592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.2, delays=0.03/0.02/0.11/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D8574CA2147) Aug 7 14:56:02 vm2 postfix/qmgr[2314]: DE9404592B1: removed
12.1 things I tried:
- openssl rsa -in /etc/ssl/private/vm2.zintis.ops.key -check -noout
This produced:
Enter pass phrase for /etc/ssl/private/vm2.zintis.ops.key: RSA key ok
- openssl x509 -in /etc/ssl/certs/vm2.zintis.ops.crt -text -noout
This produced:
openssl x509 -in /etc/ssl/certs/vm2.zintis.ops.crt -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: 26:02:d7:62:ab:1c:05:3f:80:21:da:0c:52:9a:e7:8c:f2:2f:d9:c0 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CA, ST = Ontario, L = Toronto, O = zintis.ops, OU = ops335, CN = vm2 Validity Not Before: Aug 7 17:37:49 2020 GMT Not After : Aug 7 17:37:49 2021 GMT Subject: C = CA, ST = Ontario, L = Toronto, O = zintis.ops, OU = ops335, CN = vm2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cb:2a:20:b0:0c:06:61:54:0f:34:69:97:f7:04: 24:02:a9:c4:f7:ba:61:67:89:55:e4:a7:c7:09:47: 8d:1b:96:bd:06:05:cc:e1:2c:a8:3a:04:b9:53:59: 0a:ec:06:39:f6:72:ce:79:b6:7a:7c:a4:21:a2:ee: e0:75:0c:c4:42:ee:c5:27:43:79:4e:63:a6:70:0d: eb:12:96:40:73:2a:35:e0:ce:43:7c:a3:84:72:96: 11:e0:15:ca:1a:2c:52:2f:c8:40:d8:16:57:71:f2: 13:e3:d9:a4:a4:e7:45:8d:30:57:5d:70:a3:e8:34: c1:92:7a:05:74:4d:8c:62:01:a0:5c:b0:b6:f6:45: 0f:06:4e:d8:75:7c:96:56:51:df:b0:05:3d:fd:0a: 21:d3:04:d4:90:1f:38:85:6b:48:c1:5a:de:7b:71: 2f:ca:48:9f:d8:b2:49:d3:28:8c:9c:73:fd:47:fd: a9:9d:5c:80:94:fc:4e:87:a9:96:38:72:11:c9:9a: a0:d4:01:96:32:c5:e6:9c:8d:cc:18:27:db:17:d6: af:f9:46:10:a2:64:cf:02:54:05:4e:0f:e2:4d:3a: f1:d4:0d:29:ea:a0:b3:2a:8e:81:13:c2:7d:e9:3a: 20:dd:17:3b:f4:22:d9:0f:9c:bb:c1:1b:37:f0:af: 6e:9f Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 3f:7c:e4:b2:49:05:56:2c:6d:97:7b:34:6f:e6:89:af:f0:bc: 7f:f7:f2:4d:ce:ec:5e:ea:81:cb:b5:38:f2:ae:37:fa:7c:1c: 02:8e:d7:94:ff:f9:14:b3:46:13:36:32:be:8b:47:c9:fc:eb: 4e:f8:5f:57:4d:02:10:88:d2:bf:41:0a:61:1e:20:ab:8c:1f: b2:a3:be:02:f0:db:16:c1:0b:14:b1:33:e1:72:98:77:dc:95: f5:bd:17:9b:66:f9:32:73:45:ef:84:16:09:cf:8e:0d:c1:76: ee:db:dd:d5:80:c2:13:b5:46:fa:43:4e:4c:d2:94:e7:a3:32: 78:d7:2d:7d:eb:42:8f:7c:5d:85:bd:cf:e1:4a:c3:bd:26:0d: 59:a1:55:06:1d:89:2e:2d:25:fa:03:5c:53:c7:75:5b:79:35: 5b:8e:3a:5e:ce:93:50:ff:d7:b8:ac:d9:95:74:56:2f:b4:d8: c3:89:3b:03:fe:a4:c0:d6:d7:2b:1c:d7:43:b6:59:03:32:89: 97:bb:e6:e1:a8:bf:d1:cb:1c:0a:47:2c:c1:ec:2f:f1:75:d9: 27:d2:f5:7d:be:c3:3b:28:a4:c4:9d:ce:1d:9e:b7:47:01:81: 98:ca:44:bd:5b:de:b3:a9:a8:1a:ad:59:af:6e:da:fd:19:d7: 95:02:c3:fd root@vm2 /etc/ssl/certs [1131]$
From StackOverflow: In order to check if the cert and key match use this,
(openssl x509 -noout -modulus -in /etc/ssl/certs/vm2.zintis.ops.crt | openssl md5 ;\ openssl rsa -noout -modulus -in /etc/ssl/private/vm2.zintis.ops.key | openssl md5) | uniq
If you get more than one identifier, then you key and cert don't match, and create new ones. Mine did match.
12.2 From upcloud.com as of 2018
For postfix authentication for SMTP should enable SMTP-AUTH .
sudo postconf -e 'smtpd_sasl_type = dovecot' sudo postconf -e 'smtpd_sasl_path = private/auth' sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
And for main.cf (for postfix)
sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes'
Note that the above can be entered in the main.cf config file rather than one at a time from the command line. (I think)
13 Fix for ca-certificates dnf upgrade error
13.1 Error Symptoms for dnf upgrade -y
I tried running a dnf upgrade
on my lab vms and got this error.
root@vm3~[1000] $ dnf upgrade -y Last metadata expiration check: 6:08:52 ago on Thu 02 Dec 2021 11:27:22 AM EST. Dependencies resolved. =========================================================================================================================================================== Package Architecture Version Repository Size =========================================================================================================================================================== Upgrading: ca-certificates noarch 2021.2.50-80.0.el8_4 baseos 390 k Transaction Summary =========================================================================================================================================================== Upgrade 1 Package Total size: 390 k Downloading Packages: [SKIPPED] ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm: Already downloaded Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Upgrading : ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Error unpacking rpm package ca-certificates-2021.2.50-80.0.el8_4.noarch Verifying : ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Verifying : ca-certificates-2019.2.32-80.0.el8_1.noarch 2/2 Failed: ca-certificates-2019.2.32-80.0.el8_1.noarch ca-certificates-2021.2.50-80.0.el8_4.noarch Error: Transaction failed
Particularly, the ca-certificates
upgrades failed. Same error message when
trying to specifically upgrade the ca-certificates
:
sudo dnf upgrade ca-certificates [sudo] password for zintis: Last metadata expiration check: 0:59:07 ago on Thu 02 Dec 2021 11:42:14 AM EST. Dependencies resolved. =========================================================================================================================================================== Package Architecture Version Repository Size =========================================================================================================================================================== Upgrading: ca-certificates noarch 2021.2.50-80.0.el8_4 baseos 390 k Transaction Summary =========================================================================================================================================================== Upgrade 1 Package Total size: 390 k Is this ok [y/N]: y Downloading Packages: [SKIPPED] ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm: Already downloaded Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Upgrading : ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Error unpacking rpm package ca-certificates-2021.2.50-80.0.el8_4.noarch Verifying : ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Verifying : ca-certificates-2019.2.32-80.0.el8_1.noarch 2/2 Failed: ca-certificates-2019.2.32-80.0.el8_1.noarch ca-certificates-2021.2.50-80.0.el8_4.noarch Error: Transaction failed
13.2 Where I found the fix
I found this article on access.redhat.com that worked verbatim for me. I ran this as
root using sudo -i
13.3 Step by step instructions for fix
- move existing certs to a new backup directory,
cert.bak
cd /root mkdir -p cert.bak # move certificates into the backup directory just created. rpm -Vv ca-certificates | awk '$1!="........." && $2!="d" {system("mv -v " $NF " /root/cert.bak")}'
You should see output similar to this:
renamed '/etc/pki/ca-trust/README' -> '/root/cert.bak/README' renamed '/etc/pki/ca-trust/ca-legacy.conf' -> '/root/cert.bak/ca-legacy.conf' renamed '/etc/pki/ca-trust/extracted/README' -> '/root/cert.bak/README' renamed '/etc/pki/ca-trust/extracted/edk2/README' -> '/root/cert.bak/README' renamed '/etc/pki/ca-trust/extracted/java/README' -> '/root/cert.bak/README' renamed '/etc/pki/ca-trust/extracted/openssl/README' -> '/root/cert.bak/README' renamed '/etc/pki/ca-trust/extracted/pem/README' -> '/root/cert.bak/README' renamed '/etc/pki/ca-trust/source/README' -> '/root/cert.bak/README' renamed '/etc/ssl/certs' -> '/root/cert.bak/certs' root@vm2~[1004] $
- reinstall ca-certificates (check if update exists, then run
update
, then runreinstall
, all in one line:dnf check-update ca-certificates; (($?==100)) && yum update ca-certificates || yum reinstall ca-certificates
You should see output similar to this:
Last metadata expiration check: 6:09:39 ago on Thu 02 Dec 2021 11:27:22 AM EST. ca-certificates.noarch 2021.2.50-80.0.el8_4 baseos Last metadata expiration check: 6:09:40 ago on Thu 02 Dec 2021 11:27:22 AM EST. Dependencies resolved. ================================================================================= Package Architecture Version Repository Size ================================================================================= Upgrading: ca-certificates noarch v 2021.2.50-80.0.el8_4 baseos 390 k Transaction Summary ================================================================================= Upgrade 1 Package Total download size: 390 k Is this ok [y/N]: y Downloading Packages: ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm 1.5 MB/s | 390 kB 00:00 ---------------------------------------------------------------------------------- Total 645 kB/s | 390 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Upgrading : ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Cleanup : ca-certificates-2019.2.32-80.0.el8_1.noarch 2/2 Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch 2/2 Running scriptlet: ca-certificates-2019.2.32-80.0.el8_1.noarch 2/2 Verifying : ca-certificates-2021.2.50-80.0.el8_4.noarch 1/2 Verifying : ca-certificates-2019.2.32-80.0.el8_1.noarch 2/2 Upgraded: ca-certificates-2021.2.50-80.0.el8_4.noarch Complete!
- Check that only these two files are found in directories
/etc/pki/ca-trust/source
/etc/pki/ca-trust/source/anchors
find /etc/pki/ca-trust/source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} +
You should see only these two files:
/etc/pki/ca-trust/source/ca-bundle.legacy.crt /etc/pki/ca-trust/source/README
If you see other files, move them to the backup directory manually.
- Ensure the
/usr/share/pki/ca-trust-source/
and/usr/share/pki/ca-trust-source/
directories together contain no more than the following 2 files:/usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
/usr/share/pki/ca-trust-source/README
- update your certificate authority trust with this single command:
update-ca-trust extract
This command gave no output, but confirm that the command ran with no errors. You can read about it using
man update-ca-trust
- Run the
dnf upgrade -y
command again. This time it should work.
14 openssl summary
# look at certs of a remote server openssl s_client -connect zintis.net:80 -showcerts openssl s_client -connect zintis.net:443 -showcerts # order of options does not matter so the next line does the same: openssl s_client -showcerts -connect zintis.net:443 # test connectivity to an https server openssl s_client -connect acme.server.com:443 openssl s_client -connect acme.server.com:443 -brief echo | openssl s_client -connect acme.server.com:443 -brief echo | openssl s_client -connect acme.server.com:443 -brief echo | openssl s_client -connect www.zintis.net:443 -brief # connect to a remote server to download, then analyze the cert echo | openssl s_client -connect redhat.com:443 2>/dev/null | openssl x509 -noout -dates # for details of your OWN local certificate bundles (incl. all signatures) cd /etc/ssl/certs openssl x509 -text -noout -in bundlezp.crt openssl x509 -text -noout -in certificate.crt #Create/generate a public/private key pair openssl req -new -newkey rsa:2048 -nodes -keyout acme.com.key -out acme.com.csr # on linux openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr # create a self-signed PEM file openssl req -new -newkey rsa:2048 -nodes -x509 -days 3650 -keyout key.pem -out cert.pem # list command groups on your system openssl list standard-commands openssl list digest-commands openssl list cipher-commands openssl list cipher-algorithms openssl list digest-algorithms openssl list public-key-algorithms # check which openssl version you have, including the default directory openssl version -d