TLS setup for apache and postfix mail

1 TLS (Transport Layer Security)

Was called SSL (secure sockets layer) Uses public key cryptography. Latest version is TLS 1.3 (Aug 2018)

1.1 Overview

1.2 .pem .csr .key encodings and files

They are different ways to encode Abstract Syntax Notation 1 (ASN.1) formatted data, which is the format x509 certificates are defined in, in machine readable ways.

1.2.1 .csr

Certificsate Signing Request. These files are generated and then submitted to a certificate authority (CA) so they can sign it. .csr files are in PKCS10 format, defined in RFC 2986. These files contain key details of the requested certificate, including subject, organization, province, etc. And of course contain the public key of the certificate to get signed.

Once the CA signs the .csr, they return it to the owner. That becomes the, now signed, public certificate. Notice that these public certificates do not contain the private key.

1.2.2 .pem

A container format, Privacy Enhanced Mail, PEM, defined in RFC1422. This format is compatible with x.509 authentication framework. .pem files may contain just the public certificate, or the entire certificate chain, including the public key, private key, and root certificates.

Note that .pem for secure mail was a failed effort, but the .pem format has survived in use with certificates.

1.2.3 .key

Usually a .pem formatted file containing just the private key of a specific certificate. .key file type, is merely a naming convention and not a standard.

For Apache the .key files are usually in /etc/ssl/private directory. For nginx check out this nginx.com blog

Private keys must be protected, so must have permissions set to 600

1.2.4 convert a .ppk key to a .pem key

puttygen mykey.pem -o mykey.ppk

You may have to install puttygen first.

2 Certificate, Intermediate Certificates and Private Keys

Certificates are public keys that have been signed by a CA. They are usually in the .pem format. For example, 5cbe368af39baf50.pem but once signed by the CA they get a .crt ending, or a cert ending, usually crt.

On RHEL servers they are usually in /etc/pki/tls/certs but check the config file, /etc/pki/tls/openssl.cnf for xxx to see if that location has been overriden.

/etc/pki/tls/5cbe368af39baf50.crt
/etc/pki/tls/gd_bundle-g2-g1.crt
/etc/pki/tls/ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/tls/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

2.1 Public keys

As mentioned above the public key is what is sent to the CA to be signed. The CA verifies the details of your public key and verify you have rights to it (could be by verifying an email with your private key, while they are talking to you over the phone) Once that is verified they will themselves sign your public key with their public key. This signed p*ublic key is what becomes your server's or your domain's public certificate.

People can now trust your server, because your server's public key has been signed by this CA, which they can verify, by checking the signature of the certificate authority.

2.1.1 public key in /etc/pki/tls/certs

On CentOS / Almalinux you will find your public keys (aka certificates) here.

2.1.2 private key in /etc/pki/tls/private

On CentOS / Almalinux you will find your private keys here.

3 CA (Certificate Authority)

3.1 openssl.cnf config file

In the /etc/pki/tls/openssl.cnf file there are some CA config lines:

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key

x509_extensions = usr_cert              # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

My host did NOT have a CA directory. ? Is that because I dont' intend to be a CA?

3.1.1 TODO figure this out

3.2 CA root certs setup

You need to tell your server, where the set of root certificates reside. These are the CA root servers, and should be listed in /etc/ssl/certs

If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs for non-RHEL systems), then you can use -CApath or -CAfile to specify the CA.

My Almalinux server has /etc/ssl/certs symlinked to /etc/pki/tls/certs. However, nothing else in /etc/ssl including no openssl.cnf file Rather, that was in /etc/pki/tls/openssl.conf

4 openssl commands

openssl command [command options] [command args] openssl list <command group> where command group is one of :

standard-commands
digest-commands
cipher-commands
cipher-algorithms
digest-algorithms
public-key-algorithms

There are also lots of sub-commands, such as openssl-x509

4.1 Many sub-commands have their own config files

specified with the -config option. See OPENSSL_CONF env. variable to see which file is being used.

There are How-to Guides availabe on https://www.openssl.org/docs/ that I read. Also use man crypto, available on Linux.

Some useful commands dealing with certs are part of openssl. See man openssl for a complete list, but here are some most useful examples:

openssl command [command options] [command args]

5 openssl s_client (standard command)

First set of commands are the s_client commands, that implements a generic *ssl client. The client establishes a transparent connection to a remote server using SSL/TLS

5.1 Check a certificate for a web server.

openssl s_client -connect zintis.net:80 -showcerts
openssl s_client -connect zintis.net:80 -showcerts
openssl s_client -connect zintis.net:443 -showcerts

5.2 Test connectivity to an HTTPS service

openssl s_client -connect acme.server.com:443
openssl s_client -connect acme.server.com:443 -brief
echo | openssl s_client -connect acme.server.com:443 -brief
echo | openssl s_client -connect acme.server.com:443 -brief
echo | openssl s_client -connect www.zintis.net:443 -brief

5.3 Piping two openssl commands

echo | openssl s_client -connect redhat.com:443 2>/dev/null | openssl x509 -noout -dates This will take the output of the -connect command and check out the x509 exiration dates. This is a common technique, where you use the s_client to connect to a SSL/TLS server, download the cert, then analyze it with openssl x509 or other openssl commands.

5.4 Force TLSv1 and DTLSv1

openssl s_client -connect acme.server.com:443 -tls1
openssl s_client -connect acme.server.com:443 -dtls1

5.5 Force a specific cipher

openssl s_client -connect acme.server.com:443 -cipher DHE-RSA-AES256-SHA

6 show version

openssl version -a

7 openssl genpkey (standard command)

7.1 Create/generate a public/private key pair

Generate two files, 1) a private-key file that will be used to generate a CSR and later, to secure and verify connections using my certificate, and 2) a Certificate Signing Request (CSR) file, that is used to order my SSL certificate from my CA, and later used by web clients to encrypt their messages that only I can decypher (because only I have my private key.)

openssl req -new -newkey rsa:2048 -nodes -keyout acme.com.key -out acme.com.csr
openssl req -new -newkey rsa:2048 -nodes -keyout acme.com.key -out acme.com.csr

openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr

To create a self-signed PEM file:

openssl req -new -newkey rsa:2048 -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

From microfocus.com:

7.2 Create a Larger Diffie-Hellman Prime

By default openssl will generate a prime 1024 or 2048 bits in length. You can increase the length of the DH prime, using this command: less - openssl genpkey -genparam -algorithm DH -out dhparam4096 -pkeyopt dh_paramgen_prime_len:4096 Note, that genpkey --genparam supercedes the older dhparam command.

Then you can add this to your nginx.conf file, in the server block:

ssl_dhparam /etc/pki/tls/certs/dhparam4096

7.3 How to create a PEM file from existing certificate files that form a chain

Often you combine your certificate, with the signing authority certificate, and the root certificate. They should be in that order, i.e.:

Primary certificate - www.zintis.net.crt
Intermediate Certificate - godaddy.com.crt
Root Certificate - TrustedRoot.crt

This can be done simnply using cat one.crt two.crt three.crt >> bundled.crt

The bundled.crt file should look something like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

(optional) Remove the password from the Private Key by following the steps listed below:
openssl rsa -in server.key -out nopassword.key

Note: Enter the pass phrase of the Private Key.

Combine the private key, public certificate and any 3rd party intermediate certificate files:
cat nopassword.key > server.pem
cat server.crt >> server.pem

Note: Repeat this step as needed for third-party certificate chain files, bundles, etc: cat intermediate.crt >> server.pem

7.4 CA signs the CSR and returns a CRT file

7.5 This matches the private .key file

You should already have a private key from the openssl req command. Chmod to 400 as root, so that it is safe, and take a backup as well. Without your key the certificate is useless.

8 openssl x509 or rsa commands

Used to check out certificate files, whether x509 or rsa.

8.1 Check a certificate of a local file.

openssl x509 -in 4abe36dee147d6a4.crt -text -noout
openssl x509 -in 4abe36dee147d6a4.crt -text -noout
openssl x509 -in 4abe36dee147d6a4.crt -text -noout

8.2 Check a key

openssl rsa -in acme.com.key -check
openssl rsa -in acme.com.key -check
openssl rsa -in acme.com.key -check

8.3 One-liner to verify a certificate chain

Here is one-liner to verify a certificate chain: openssl verify -verbose -x509_strict -CAfile ca.pem -CApath nosuchdir cert_chain

8.4 Check a CSR

(You can verify the CSR and see the data filled in when it was generated)

openssl req -text -in acme.com.key -noout -verify
openssl req -text -in acme.com.key -noout -verify

8.5 Print md5 checksums of certificate and key

openssl x509 -noout -modulus -in acme.com.crt | openssl md5
openssl x509 -noout -modulus -in acme.com.crt | openssl md5
openssl rsa -noout -modulus -in acme.com.key | openssl md5
openssl rsa -noout -modulus -in acme.com.key | openssl md5

8.6 Check a pem local file:

openssl x509 -in email-ca-bundle.pem -text -noout
openssl x509 -in tls-ca-bundle.pem -text -noout
openssl x509 -in gd_bundle-g2-g1.crt -text -noout

These files were in /etc/pki/ca-trust/ and subdirectories. Use the command openssl x509 -in 4abe36dee147d6a4.crt -text -noout

zintis@zintis.net /etc/pki/tls/certs[1034]:
$ openssl x509  -in 4abe36dee147d6a4.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5385802535271913124 (0x4abe36dee147d6a4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Apr 27 17:21:29 2021 GMT
            Not After : May 29 17:21:29 2022 GMT
        Subject: OU = Domain Control Validated, CN = zintis.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a9:3e:6a:26:5b:f3:eb:89:ed:f9:c7:c9:ee:48:
                    a0:62:bc:7a:bc:33:a4:2f:c3:74:e4:43:cf:37:6a:
                    52:c9:b0:66:e7:90:9c:a2:b1:3a:4b:13:1a:79:3b:
                    10:4c:d4:0e:e6:64:a5:20:8c:a6:18:a8:fb:ec:c2:
                    2a:4e:38:cd:43:dc:79:34:d0:01:40:b8:d9:2a:4f:
                    e5:a1:7f:9d:04:f0:79:22:e2:f2:2d:be:47:5b:29:
                    ff:2d:14:a4:db:a3:35:d1:de:08:40:d4:4a:03:e6:
                    0d:c9:ff:d4:fa:df:d0:7d:1a:f8:48:ee:4e:c5:90:
                    9e:43:c7:32:33:e5:6b:61:d3:87:b0:30:3f:e1:a2:
                    8f:24:f1:58:bc:d2:74:96:a8:8b:6c:0d:e9:2e:1f:
                    af:2f:36:70:a4:40:aa:ab:c3:d6:ca:b2:98:2c:d7:
                    5e:94:aa:99:0f:e7:80:9c:a3:45:e4:dc:21:20:49:
                    e8:c5:58:3b:c4:40:7f:bf:0f:0e:c7:f0:b4:52:5e:
                    7b:50:45:2c:0d:5b:ff:ff:d1:08:a1:8d:31:63:3e:
                    b3:ec:4c:12:76:aa:8a:c4:2a:a9:b6:1f:c2:67:4a:
                    ae:8d:5b:0c:24:3c:d4:af:b0:86:16:90:55:f3:da:
                    b3:00:79:0c:5f:dd:31:c2:ed:75:85:67:d6:9e:eb:
                    4e:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.godaddy.com/gdig2s1-2903.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier: 
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name: 
                DNS:zintis.net, DNS:www.zintis.net
            X509v3 Subject Key Identifier: 
                F3:93:BD:51:40:11:25:73:C6:EA:6F:40:F3:AE:0C:B1:DA:8C:20:02
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                                BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                    Timestamp : Apr 27 17:21:30.636 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:55:A8:71:9A:2F:A1:36:90:FB:A7:32:C1:
                                14:E8:65:E9:F8:2A:24:EB:C2:2F:35:E9:61:35:E3:B6:
                                C2:35:CA:80:02:21:00:9C:D3:92:A8:FD:0F:E9:D5:28:
                                A5:DC:A6:88:D3:25:0E:0F:EC:91:B2:DB:16:88:20:DC:
                                F7:7A:61:75:9B:41:3C
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86:
                                E0:23:26:63:AD:C0:4B:7F:5D:C6:83:5C:6E:E2:0F:02
                    Timestamp : Apr 27 17:21:30.672 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:B0:DD:1F:38:52:2D:E9:4B:CB:80:50:
                                ED:C0:B2:1A:81:C4:89:4A:5C:69:1D:29:39:95:3E:E9:
                                FC:9E:6D:CE:B1:02:21:00:D3:95:28:F9:A7:28:53:E5:
                                00:62:76:F2:DD:AF:75:F2:98:A6:F1:2B:C9:4A:55:B4:
                                FD:FE:25:A5:B1:6D:A9:F5
    Signature Algorithm: sha256WithRSAEncryption
         77:d7:88:94:30:ac:22:c4:3a:c2:6f:d8:c3:97:a6:64:45:4e:
         ee:7c:a8:c6:63:75:a5:d8:d2:2a:f0:de:ad:c7:86:8f:6a:d8:
         2e:50:df:e6:38:f8:b6:86:04:f2:4a:05:81:a5:1c:c7:39:79:
         95:81:e9:e2:8b:83:f4:dc:7f:06:a7:67:04:b0:3d:2a:9e:8d:
         f6:9b:59:01:ff:35:47:a9:98:13:4a:71:c1:59:bc:2d:61:2c:
         e3:80:ed:01:e1:02:3b:3c:cd:80:12:20:79:75:18:8c:c8:02:
         b0:aa:19:f8:9d:48:91:dd:d5:e6:c8:54:67:e6:59:a8:f0:d0:
         1a:99:a1:64:7c:8d:69:ca:33:87:73:1f:6d:07:c4:02:f9:21:
         18:74:33:f3:c4:58:ab:6b:b9:7d:28:54:e1:e0:f4:67:21:a8:
         50:e0:3b:4f:22:a7:63:3c:db:e8:77:dc:1f:09:c8:95:b9:09:
         e8:ba:18:eb:92:a3:9f:8e:55:38:85:c9:af:a5:d9:75:02:c6:
         a6:61:92:31:10:31:6d:b6:3a:88:01:a2:b8:5a:78:5e:9f:18:
         f4:1b:67:82:6f:01:5d:bc:01:4a:26:be:2d:32:37:50:e7:7a:
         44:90:db:60:c6:69:a1:eb:5b:9f:5b:0f:b9:27:76:80:e0:d0:
         ae:8a:a9:c1

8.7 Generate a Key pair

openssl genrsa -out acme.com.key 2048 This generates your private key in the current directory, in a file named "acme.com.key". It uses the RSA algorithm, and generates a key of 2048 bits. It will be in a pem format.

9 Examples from OPS335 vms

These keys are on vm2, not on vm1!! Actually vm1, vm2, and vm3 each have their OWN keys configured. (or should anyway)

mkdir -p /root/postfix-keys /etc/ssl/{private,certs} 
cd /root/postfix-keys

openssl genrsa -des3 -out vm2.zintis.ops.key 2048 
openssl genrsa -des3 -out vm2.zintis.ops.key 2048 

chmod 600 vm2.zintis.ops.key

Now sign the key you just created to create a certificate ? Or is this actually created the public key certificate from the private key only?

root@vm2 ~/postfix-keys [1008]$ 

  openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr
  openssl req -new -key vm2.zintis.ops.key -out vm2.zintis.ops.csr

  Enter pass phrase for vm2.zintis.ops.key:  zilaislakatinsMT  Zilaislakatinsmt   dodman
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [XX]:CA
  State or Province Name (full name) []:Ontario
  Locality Name (eg, city) [Default City]:Toronto
  Organization Name (eg, company) [Default Company Ltd]:zintis.ops
  Organizational Unit Name (eg, section) []:ops335
  Common Name (eg, your name or your server's hostname) []:vm2
  Email Address []:

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  root@vm2 ~/postfix-keys [1009]$

Now I have vm2.zintis.ops.key and vm2.zintis.ops.csr We can now sign the csr and output to a temporary file crt

root@vm2 ~/postfix-keys [1010]$ 

openssl x509 -req -days 365 -in vm2.zintis.ops.csr -signkey vm2.zintis.ops.key -out vm2.zintis.ops.crt
openssl x509 -req -days 365 -in vm2.zintis.ops.csr -signkey vm2.zintis.ops.key -out vm2.zintis.ops.crt

  Signature ok
  subject=C = CA, ST = Ontario, L = Toronto, O = zintis.ops, OU = ops335, CN = vm2
  Getting Private key
  Enter pass phrase for vm2.zintis.ops.key:
root@vm2 ~/postfix-keys [1011]$

Now we have three files, .key .csr and .crt (the temporary one) Trying to create a version of my key that has a null password? It looks like it:


openssl rsa -in vm2.zintis.ops.key -out vm2.zintis.ops.key.nopass
openssl rsa -in vm2.zintis.ops.key -out vm2.zintis.ops.key.nopass

  Enter pass phrase for vm2.zintis.ops.key: zilaislakatinsMT
  writing RSA key
root@vm2 ~/postfix-keys [1015]$

Now a fourth file, .key.nopass which I will mv to replace the .key file from which this was created. mv vm2.zintis.ops.key.nopass vm2.zintis.ops.key

Finally create a new key, "cakey.pem" and a "cacert.pem" that's good for 10 years

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650  
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 
  Generating a RSA private key
  ..................................................................................+++++
  ...........................................+++++
  writing new private key to 'cakey.pem'
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:  xxxxxxxxxxxxxxxxx    # this was a new password.
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [XX]:CA
  State or Province Name (full name) []:Ontario
  Locality Name (eg, city) [Default City]:Toronto
  Organization Name (eg, company) [Default Company Ltd]:zintis.ops
  Organizational Unit Name (eg, section) []:OPS335
  Common Name (eg, your name or your server's hostname) []:vm2
  Email Address []:zintis@zintis.ops

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:XXXXXXXX
  An optional company name []:Seneca

Now protect the files, and copy them to the /etc/ssl directories.


chmod 600 vm2.zintis.ops.key _cakey.pem_
cp vm2.zintis.ops.key cakey.pem /etc/ssl/private
cp vm2.zintis.ops.crt cacert.pem /etc/ssl/certs

10 GoDaddy instructions to install certificates to nginx

From this link: ca.godaddy.com I got these instructions to install a certificate to my nginx server:

Connect to your server via SSH.
Create a directory to store the server key, certificate, and intermediate bundle.
sudo mkdir /etc/nginx/ssl
Copy your private key which was created when you generated your CSR to the ssl folder
cp coolexample.key /etc/nginx/ssl
SFTP to your server, and upload your SSL certificate and intermediate bundle to the /etc/nginx/ssl folder.
Navigate to the SSL folder in SSH.
cd /etc/nginx/ssl
Combine your SSL certificate and the intermediate bundle into one file using the concatenate command. Since your intermediate certificate and root certificate come in a bundle, you can use the following SSH command:
sudo cat f84e19a2f44c6386.crt gd_bundle-g2-g1.crt >> coolexample.crt

Note:The certificates have to be listed in this order with the concatenate command or the SSL will not work properly on your server.

Open your NGINX config file for the domain you're installing the SSL certificate to.
sudo vim /etc/nginx/sites-available/coolexample.com

Update the config file to use the SSL certificate.

 server {
      listen 80;
      server_name coolexample.com;
      return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;

    server_name coolexample.com;
    ssl_certificate     /etc/nginx/ssl/coolexample.crt;
    ssl_certificate_key /etc/nginx/ssl/coolexample.key;

    root /usr/share/nginx/coolexample.com/;
    index index.php  index.html index.htm;

}

Save the config file.

10_ Restart your NGINX server.

sudo service nginx restart or better sudo systemctl restart nginx

10.1 Similar instructions for apache TLS

From ca.godaddy.com again. This time for apache server.

11 Continuing with configuration of postfix:

add this to postfix main.cf file

# Settings to enable secure SMTP using my self-signed certificate:
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.zintis.ops.key
smtpd_tls_cert_file = /etc/ssl/certs/vm2.zintis.ops.crt    was /etc/pki/tls/certs/postfix.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem 
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1


shlib_directory = /usr/lib64/postfix

11.1 From another post:

Set your mail server settings, and set enable_installer to enable the setup wizard: (this for if your postfix and dovecot is all on the same server)

#+BEGIN_SRC python /etc/webapps/roundcubemail/config/config.inc.php $config['db_dsnw'] = 'mysql://roundcube:****@localhost/roundcubemail'; $config['default_host'] = 'tls://localhost'; // IMAP host $config['smtp_server'] = 'tls://localhost'; $config['smtp_port'] = 587; $config['des_key'] = 'some_awesome_long_semi_random_string'; $config['enable_installer'] = true;

11.2

#+END_SRC

11.3 Files

From the above, it appears that muy certificate (a.k.a. public key) is stored in

/etc/ssl/certs/vm2.zintis.ops.crt

And my private key is stored in :

/etc/ssl/private/vm2.zintis.ops.key

12 With the above I was getting this error:

root@vm2 /etc/ssl/certs [1127]$ 

Aug  7 14:36:49 vm2 postfix/smtpd[2175]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 14:36:49 vm2 postfix/cleanup[2178]: 456AE4592B1: message-id=<20200807183649.456AE4592B1@vm2.zintis.ops>
Aug  7 14:36:49 vm2 postfix/qmgr[2171]: 456AE4592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active)
Aug  7 14:36:49 vm2 postfix/smtpd[2175]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3
Aug  7 14:36:49 vm2 postfix/smtp[2180]: 456AE4592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.18, delays=0.03/0.02/0.11/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3CB3ECA2147)
Aug  7 14:36:49 vm2 postfix/qmgr[2171]: 456AE4592B1: removed
Aug  7 14:55:19 vm2 postfix/postfix-script[2232]: stopping the Postfix mail system
Aug  7 14:55:19 vm2 postfix/master[2169]: terminating on signal 15
Aug  7 14:55:19 vm2 postfix/postfix-script[2310]: starting the Postfix mail system
Aug  7 14:55:19 vm2 postfix/master[2312]: daemon started -- version 3.3.1, configuration /etc/postfix


Aug  7 14:56:01 vm2 postfix/smtpd[2320]: warning: cannot get RSA private key from file "/etc/ssl/private/vm2.zintis.ops.key": disabling TLS support
Aug  7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:543:while reading strings:
Aug  7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:59:
Aug  7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:crypto/pem/pem_lib.c:434:
Aug  7 14:56:01 vm2 postfix/smtpd[2320]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl/ssl_rsa.c:556:
Aug  7 14:56:01 vm2 postfix/smtpd[2320]: connect from c8host.zintis.ops[192.168.111.1]
Aug  7 14:56:01 vm2 postfix/cleanup[2323]: DE9404592B1: message-id=<20200807185601.DE9404592B1@vm2.zintis.ops>
Aug  7 14:56:01 vm2 postfix/qmgr[2314]: DE9404592B1: from=<double-bounce@vm2.zintis.ops>, size=843, nrcpt=1 (queue active)
Aug  7 14:56:01 vm2 postfix/smtpd[2320]: disconnect from c8host.zintis.ops[192.168.111.1] ehlo=1 starttls=0/1 quit=1 commands=2/3
Aug  7 14:56:02 vm2 postfix/smtp[2325]: DE9404592B1: to=<postmaster@zintis.ops>, orig_to=<postmaster>, relay=vm3.zintis.ops[192.168.111.13]:25, delay=0.2, delays=0.03/0.02/0.11/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D8574CA2147)
Aug  7 14:56:02 vm2 postfix/qmgr[2314]: DE9404592B1: removed

12.1 things I tried:

openssl rsa -in /etc/ssl/private/vm2.zintis.ops.key -check -noout
This produced:
- Enter pass phrase for /etc/ssl/private/vm2.zintis.ops.key: RSA key ok

openssl x509 -in /etc/ssl/certs/vm2.zintis.ops.crt -text -noout

This produced:

openssl x509 -in /etc/ssl/certs/vm2.zintis.ops.crt -text -noout
Certificate:
    Data:
	Version: 1 (0x0)
	Serial Number:
	    26:02:d7:62:ab:1c:05:3f:80:21:da:0c:52:9a:e7:8c:f2:2f:d9:c0
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: C = CA, ST = Ontario, L = Toronto, O = zintis.ops, OU = ops335, CN = vm2
	Validity
	    Not Before: Aug  7 17:37:49 2020 GMT
	    Not After : Aug  7 17:37:49 2021 GMT
	Subject: C = CA, ST = Ontario, L = Toronto, O = zintis.ops, OU = ops335, CN = vm2
	Subject Public Key Info:
	    Public Key Algorithm: rsaEncryption
		RSA Public-Key: (2048 bit)
		Modulus:
		    00:cb:2a:20:b0:0c:06:61:54:0f:34:69:97:f7:04:
		    24:02:a9:c4:f7:ba:61:67:89:55:e4:a7:c7:09:47:
		    8d:1b:96:bd:06:05:cc:e1:2c:a8:3a:04:b9:53:59:
		    0a:ec:06:39:f6:72:ce:79:b6:7a:7c:a4:21:a2:ee:
		    e0:75:0c:c4:42:ee:c5:27:43:79:4e:63:a6:70:0d:
		    eb:12:96:40:73:2a:35:e0:ce:43:7c:a3:84:72:96:
		    11:e0:15:ca:1a:2c:52:2f:c8:40:d8:16:57:71:f2:
		    13:e3:d9:a4:a4:e7:45:8d:30:57:5d:70:a3:e8:34:
		    c1:92:7a:05:74:4d:8c:62:01:a0:5c:b0:b6:f6:45:
		    0f:06:4e:d8:75:7c:96:56:51:df:b0:05:3d:fd:0a:
		    21:d3:04:d4:90:1f:38:85:6b:48:c1:5a:de:7b:71:
		    2f:ca:48:9f:d8:b2:49:d3:28:8c:9c:73:fd:47:fd:
		    a9:9d:5c:80:94:fc:4e:87:a9:96:38:72:11:c9:9a:
		    a0:d4:01:96:32:c5:e6:9c:8d:cc:18:27:db:17:d6:
		    af:f9:46:10:a2:64:cf:02:54:05:4e:0f:e2:4d:3a:
		    f1:d4:0d:29:ea:a0:b3:2a:8e:81:13:c2:7d:e9:3a:
		    20:dd:17:3b:f4:22:d9:0f:9c:bb:c1:1b:37:f0:af:
		    6e:9f
		Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
	 3f:7c:e4:b2:49:05:56:2c:6d:97:7b:34:6f:e6:89:af:f0:bc:
	 7f:f7:f2:4d:ce:ec:5e:ea:81:cb:b5:38:f2:ae:37:fa:7c:1c:
	 02:8e:d7:94:ff:f9:14:b3:46:13:36:32:be:8b:47:c9:fc:eb:
	 4e:f8:5f:57:4d:02:10:88:d2:bf:41:0a:61:1e:20:ab:8c:1f:
	 b2:a3:be:02:f0:db:16:c1:0b:14:b1:33:e1:72:98:77:dc:95:
	 f5:bd:17:9b:66:f9:32:73:45:ef:84:16:09:cf:8e:0d:c1:76:
	 ee:db:dd:d5:80:c2:13:b5:46:fa:43:4e:4c:d2:94:e7:a3:32:
	 78:d7:2d:7d:eb:42:8f:7c:5d:85:bd:cf:e1:4a:c3:bd:26:0d:
	 59:a1:55:06:1d:89:2e:2d:25:fa:03:5c:53:c7:75:5b:79:35:
	 5b:8e:3a:5e:ce:93:50:ff:d7:b8:ac:d9:95:74:56:2f:b4:d8:
	 c3:89:3b:03:fe:a4:c0:d6:d7:2b:1c:d7:43:b6:59:03:32:89:
	 97:bb:e6:e1:a8:bf:d1:cb:1c:0a:47:2c:c1:ec:2f:f1:75:d9:
	 27:d2:f5:7d:be:c3:3b:28:a4:c4:9d:ce:1d:9e:b7:47:01:81:
	 98:ca:44:bd:5b:de:b3:a9:a8:1a:ad:59:af:6e:da:fd:19:d7:
	 95:02:c3:fd
root@vm2 /etc/ssl/certs [1131]$

From StackOverflow: In order to check if the cert and key match use this,

(openssl x509 -noout -modulus -in /etc/ssl/certs/vm2.zintis.ops.crt | openssl md5 ;\
openssl rsa -noout -modulus -in /etc/ssl/private/vm2.zintis.ops.key | openssl md5) | uniq

If you get more than one identifier, then you key and cert don't match, and create new ones. Mine did match.

12.2 From upcloud.com as of 2018

For postfix authentication for SMTP should enable SMTP-AUTH .

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

And for main.cf (for postfix)

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'

Note that the above can be entered in the main.cf config file rather than one at a time from the command line. (I think)

13 Fix for ca-certificates dnf upgrade error

13.1 Error Symptoms for dnf upgrade -y

I tried running a dnf upgrade on my lab vms and got this error.

root@vm3~[1000] $
dnf upgrade -y
Last metadata expiration check: 6:08:52 ago on Thu 02 Dec 2021 11:27:22 AM EST.
Dependencies resolved.
===========================================================================================================================================================
 Package                                 Architecture                   Version                                       Repository                      Size
===========================================================================================================================================================
Upgrading:
 ca-certificates                         noarch                         2021.2.50-80.0.el8_4                          baseos                         390 k

Transaction Summary
===========================================================================================================================================================
Upgrade  1 Package

Total size: 390 k
Downloading Packages:
[SKIPPED] ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm: Already downloaded                                                                             
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                   1/1 
  Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch                                                                                       1/2 
  Upgrading        : ca-certificates-2021.2.50-80.0.el8_4.noarch                                                                                       1/2 
Error unpacking rpm package ca-certificates-2021.2.50-80.0.el8_4.noarch
  Verifying        : ca-certificates-2021.2.50-80.0.el8_4.noarch                                                                                       1/2 
  Verifying        : ca-certificates-2019.2.32-80.0.el8_1.noarch                                                                                       2/2 

Failed:
  ca-certificates-2019.2.32-80.0.el8_1.noarch                                  ca-certificates-2021.2.50-80.0.el8_4.noarch                                 

Error: Transaction failed

Particularly, the ca-certificates upgrades failed. Same error message when trying to specifically upgrade the ca-certificates:

sudo dnf upgrade ca-certificates
[sudo] password for zintis: 
Last metadata expiration check: 0:59:07 ago on Thu 02 Dec 2021 11:42:14 AM EST.
Dependencies resolved.
===========================================================================================================================================================
 Package                                 Architecture                   Version                                       Repository                      Size
===========================================================================================================================================================
Upgrading:
 ca-certificates                         noarch                         2021.2.50-80.0.el8_4                          baseos                         390 k

Transaction Summary
===========================================================================================================================================================
Upgrade  1 Package

Total size: 390 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm: Already downloaded                                                                             
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                   1/1 
  Running scriptlet: ca-certificates-2021.2.50-80.0.el8_4.noarch                                                                                       1/2 
  Upgrading        : ca-certificates-2021.2.50-80.0.el8_4.noarch                                                                                       1/2 
Error unpacking rpm package ca-certificates-2021.2.50-80.0.el8_4.noarch
  Verifying        : ca-certificates-2021.2.50-80.0.el8_4.noarch                                                                                       1/2 
  Verifying        : ca-certificates-2019.2.32-80.0.el8_1.noarch                                                                                       2/2 

Failed:
  ca-certificates-2019.2.32-80.0.el8_1.noarch                                  ca-certificates-2021.2.50-80.0.el8_4.noarch                                 

Error: Transaction failed

13.2 Where I found the fix

I found this article on access.redhat.com that worked verbatim for me. I ran this as root using sudo -i

13.3 Step by step instructions for fix

move existing certs to a new backup directory, cert.bak

cd /root
mkdir -p cert.bak

# move certificates into the backup directory just created.
rpm -Vv ca-certificates | awk '$1!="........." && $2!="d" {system("mv -v " $NF " /root/cert.bak")}'

You should see output similar to this:

renamed '/etc/pki/ca-trust/README' -> '/root/cert.bak/README'
renamed '/etc/pki/ca-trust/ca-legacy.conf' -> '/root/cert.bak/ca-legacy.conf'
renamed '/etc/pki/ca-trust/extracted/README' -> '/root/cert.bak/README'
renamed '/etc/pki/ca-trust/extracted/edk2/README' -> '/root/cert.bak/README'
renamed '/etc/pki/ca-trust/extracted/java/README' -> '/root/cert.bak/README'
renamed '/etc/pki/ca-trust/extracted/openssl/README' -> '/root/cert.bak/README'
renamed '/etc/pki/ca-trust/extracted/pem/README' -> '/root/cert.bak/README'
renamed '/etc/pki/ca-trust/source/README' -> '/root/cert.bak/README'
renamed '/etc/ssl/certs' -> '/root/cert.bak/certs'
root@vm2~[1004] $

reinstall ca-certificates (check if update exists, then run update, then run reinstall, all in one line:

dnf check-update ca-certificates; (($?==100)) && yum update ca-certificates || yum reinstall ca-certificates