Multiple certificate option

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple certificate option

Dovecot mailing list
What is the best way to adopt multiple certs?

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option

Dovecot mailing list
On 2019-09-07 12:25, remo--- via dovecot wrote:
> What is the best way to adopt multiple certs?
>
> Thanks.

/etc/dovecot/conf.d/10-ssl.conf

Primary SSL certificate:

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
#ssl = yes
ssl = required

("yes" or "required" - I use required)

# Minimum SSL protocol version to use. Potentially recognized values are
SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = TLSv1

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened
before
# dropping root privileges, so keep the key file unreadable by anyone
but
# root. Included doc/mkcert.sh can be used to easily generate
self-signed
# certificate, just make sure to update the domains in
dovecot-openssl.cnf
ssl_cert = </etc/ssl/private/mail-domain-tld.crt
ssl_key = </etc/ssl/private/mail-domain-tld.key

Secondary SSL certificates (I add this at the bottom of the file)

local_name mail.domain2.tld {

         ssl_cert = </etc/ssl/private/mail-domain2-tld.crt
         ssl_key = </etc/ssl/private/mail-domain2-tld.key

}
Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option

Dovecot mailing list
Thanks Michael I will check with the free cert lets encrypt to test it.

Remo

> Il giorno 7 set 2019, alle ore 02:09, Michael Hallager via dovecot <[hidden email]> ha scritto:
>
> On 2019-09-07 12:25, remo--- via dovecot wrote:
>> What is the best way to adopt multiple certs?
>> Thanks.
>
> /etc/dovecot/conf.d/10-ssl.conf
>
> Primary SSL certificate:
>
> # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
> #ssl = yes
> ssl = required
>
> ("yes" or "required" - I use required)
>
> # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
> # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
> ssl_min_protocol = TLSv1
>
> # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
> # dropping root privileges, so keep the key file unreadable by anyone but
> # root. Included doc/mkcert.sh can be used to easily generate self-signed
> # certificate, just make sure to update the domains in dovecot-openssl.cnf
> ssl_cert = </etc/ssl/private/mail-domain-tld.crt
> ssl_key = </etc/ssl/private/mail-domain-tld.key
>
> Secondary SSL certificates (I add this at the bottom of the file)
>
> local_name mail.domain2.tld {
>
>        ssl_cert = </etc/ssl/private/mail-domain2-tld.crt
>        ssl_key = </etc/ssl/private/mail-domain2-tld.key
>
> }

Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option

Dovecot mailing list
On Sat, 7 Sep 2019, Remo Mattei wrote:

> Thanks Michael I will check with the free cert lets encrypt to test it.

If all your certificate subjects are domains under your control,
such as when they are aliases of each other (e.g. smtp.domain.tld,
pop3.domain.tld, imap.domain.tld, webmail.myotherdomain.tld, ...), you
may find it more convenient to obtain a SAN (Subject Name Alternative)
certificate, which allows multiple subjects to be specified in one
certificate.  Alternatively, you can also get a wildcard domain if
all your subjects are in the same domain.

There are obvious advantages to this: one (and only one) certificate to
add to the dovecot configuration, one renewal every ~60 days requiring one
restart of the dovecot service (minimizes disruptions), etc.

A disadvantages is it's a little trickier to set up your ACME bot (and maybe
your DNS service) to get a wildcard/SAN certificate.

Joseph Tam <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option

Dovecot mailing list
In reply to this post by Dovecot mailing list
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
> What is the best way to adopt multiple certs?

I have a setup that creates letsencrypt certs for each customer domain.
To automate this I have the following at the end of conf.d/10-ssl.conf

  !include ssl.d/*.conf

This includes any .conf file under conf.d/ssl.d

Now it is a simple matter to add and remove certificates for each
domain as the letsencrypt job runs. Each config file looks like this

$cat ssl.d/somedomain_co_za.conf
local_name imap.somedomain.co.za {
  ssl_cert = </etc/pki/tls/certs/somedomain_co_za+chain-crt.pem
  ssl_key  = </etc/pki/tls/private/somedomain_co_za-key.pem
}


YMMV.

--
Greg


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option

Dovecot mailing list
Hi
This is for all dovecot version ?

On 10.09.2019 08:05, Greg Wildman via dovecot wrote:

> On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
>> What is the best way to adopt multiple certs?
> I have a setup that creates letsencrypt certs for each customer domain.
> To automate this I have the following at the end of conf.d/10-ssl.conf
>
>   !include ssl.d/*.conf
>
> This includes any .conf file under conf.d/ssl.d
>
> Now it is a simple matter to add and remove certificates for each
> domain as the letsencrypt job runs. Each config file looks like this
>
> $cat ssl.d/somedomain_co_za.conf
> local_name imap.somedomain.co.za {
>   ssl_cert = </etc/pki/tls/certs/somedomain_co_za+chain-crt.pem
>   ssl_key  = </etc/pki/tls/private/somedomain_co_za-key.pem
> }
>
>
> YMMV.
>

--
Maciej Miłaszewski
Starszy Administrator Systemowy
IQ PL Sp. z o.o.

Biuro Obsługi Klienta:
e-mail: [hidden email]
tel.: +48 58 326 09 90 - 94
fax: +48 58 326 09 99

Dział pomocy: https://www.iq.pl/pomoc
Informacja dotycząca przetwarzania danych osobowych: https://www.iq.pl/kontakt

IQ PL Sp. z o.o. z siedzibą w Gdańsku (80-298), ul. Geodetów 16, KRS 0000007725, Sąd rejestrowy: Sąd Rejonowy w Gdańsku VII Wydział KRS, kapitał zakładowy: 140.000 PLN, NIP 5832736211, REGON 192478853



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option

Dovecot mailing list
On Tue, 2019-09-10 at 08:41 +0200, Maciej Milaszewski IQ PL via dovecot
wrote:
> Hi
> This is for all dovecot version ?

Not sure. Any version of dovecot that builds it's config from the
conf.d folder will work. Not sure on the specific SSL certificate
syntax but I have been using the aformentioned config for the last
couple of years.


--
Greg

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Multiple certificate option SNI

Dovecot mailing list
In reply to this post by Dovecot mailing list
Hi
I have some problem with SNI and dovecot 2.2.36.4

Server debian 9.x ad dovecot-2.2.36.4

default server ssl cert is a wildcard like *.domain.com (digicert)

ssl_ca = /var/control/cert.pem
ssl_cert = </var/control/cert.pem

I added for test another domain (in dns to) for another ssl (letsencrypt)

from https://wiki.dovecot.org/SSL/DovecotConfiguration

like:

local_name imap.mail.test.domain.com {
  ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem
  ssl_key =  < /etc/dovecot/ssl/imap.mail.test.domain.com.key
}


doveconf -n:

local_name imap.mail.test.domain.com {
  ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem
  ssl_key =  # hidden, use -P to show it
}

Now I test like:
openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1

and dovecot show me default server cert (digicert) but not dedicated
from letsencrypt

In DNS domain imap.mail.test.domain.com is not match *.domain.com

Any idea ?







Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option SNI

Dovecot mailing list


> Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot <[hidden email]> a écrit :
>
> Hi
> I have some problem with SNI and dovecot 2.2.36.4
>
> Server debian 9.x ad dovecot-2.2.36.4
>
> default server ssl cert is a wildcard like *.domain.com (digicert)
>
> ssl_ca = /var/control/cert.pem
> ssl_cert = </var/control/cert.pem
>
> I added for test another domain (in dns to) for another ssl (letsencrypt)
>
> from https://wiki.dovecot.org/SSL/DovecotConfiguration
>
> like:
>
> local_name imap.mail.test.domain.com {
>   ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem
>   ssl_key =  < /etc/dovecot/ssl/imap.mail.test.domain.com.key
> }
>
>
> doveconf -n:
>
> local_name imap.mail.test.domain.com {
>   ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem
>   ssl_key =  # hidden, use -P to show it
> }
>
> Now I test like:
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
>
> and dovecot show me default server cert (digicert) but not dedicated
> from letsencrypt
>
> In DNS domain imap.mail.test.domain.com is not match *.domain.com
>
> Any idea ?
>

AFAIK, the -connect option of openssl is not use for SNI, but only for IP resolution.
To enable SNI, you have to explicitly pass it using '-servername' parameter.

Reply | Threaded
Open this post in threaded view
|

Re: Multiple certificate option SNI

Dovecot mailing list
In reply to this post by Dovecot mailing list
Maciej Milaszewski IQ PL via dovecot <[hidden email]> (Fr 13 Sep 2019 12:10:39 CEST):
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1

Use -servername <your sni name> for testing.

--
Heiko

signature.asc (499 bytes) Download Attachment