-----Original Message----- From: Timothy Murphy Sent: Tuesday, March 03, 2015 14:19
Greg Bailey wrote:
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
I think at this point, I will say: Works for me.
[root@node001 ~]# openssl x509 </etc/pki/dovecot/certs/dovecot.pem -----BEGIN CERTIFICATE----- MIIEwDCCA6igAwIBAgICATYwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCE1hcnlsYW5kMREwDwYDVQQKEwhwZGluYy51czEbMBkGA1UEAxMS UEQtSU5DLXB1YmxpYy1DQS0yMSAwHgYJKoZIhvcNAQkBFhFzZWN1cml0eUBwZGlu Yy51czAeFw0xNDEwMDMyMTI5MDVaFw0xNTEwMTgyMTI5MDVaMIGzMQswCQYDVQQG EwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAoTBlBEIEluYzEYMBYGA1UE CxMPTWFpbCBQcm9jZXNzaW5nMR0wGwYDVQQDFBQqLmltYXAubWFpbC5wZGluYy51 czElMCMGA1UEAxMcbm9kZTAwMS5tYWlsY2x1c3Rlci5wZGluYy51czEgMB4GCSqG SIb3DQEJARYRc2VjdXJpdHlAcGRpbmMudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQD1ZPjUv7LAwZiYoUUH30SEJQn+WepEB9myXlanHUhhjH9iixDu NlgFh2OgTzJDvf8JJ/AX9CTr2bZNfUvlWDRPbnCU4G439+8CKmJtHvM5kkcsLQZm Irv12rZP5fMwApGAJhNPLtgsPbHVQxWhNYDq/J4gJc/DuctgqoimHVC+VCmQf+V6 uQdh+a40S/+vvPiGd3HNxgzXh2Ya1G8hmCQpCbYgs9QY7yhYrKNL+wAAfP7NhRQL tf2JIPCK7063JrE4izc4eqVadRGdc1y+PP6eUQGRF1P66gXSt9QsxasZIhFZMXvI HyKWDoRsPVyUAd3j42eldCxWbBJxJydOxOHDAgMBAAGjggEcMIIBGDAJBgNVHRME AjAAMB0GA1UdDgQWBBRJ65N/YCR2VWMeAiTKMSqbBAXEPDCBsgYDVR0jBIGqMIGn gBSVjTqkwyfzfERrJL7Gy2OdnrUZA6GBi6SBiDCBhTEVMBMGA1UEAxMMUEQgSW5j LiAoQ0EpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxFzAVBgNVBAcT DkJhbHRpbW9yZSBDaXR5MREwDwYDVQQKEwhwZGluYy51czEgMB4GCSqGSIb3DQEJ ARYRc2VjdXJpdHlAcGRpbmMudXOCAQMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov L3BkLWluYy1wdWJsaWMtY2EtMi5jcmwucGRpbmMudXMwDQYJKoZIhvcNAQEFBQAD ggEBAEWOphbenf8miuAEoWSG6WRJ01DY2Ib8oUo5Dgngt7GualXwZOYUWhQwKRaw 4rZJBGu8kEVnRMa1B0FIWSMy+eq84IE+6KiSK7D44taWF5xx9MOggC5DQK9rORSj PPEjiJt03oKpGCJnWhMBR4w9eTQIDtojFvfDVv2RrNxRwYS10DlYUvhOlzZEcsfq XEkDOqIILiESVmYJftrhEBweBN2an+/CGy0DLep+6ovUsUieMieLcKIXeEFxHfuc f/kTlMX5edTGGYsW9fn7yyzDSuDpKKosj3MW9j2TK8mJGGrnhoJ58Izqw6yp0yrw 2lbOTUPZqMVzdubxI2DuSka1xK4= -----END CERTIFICATE----- [root@node001 ~]#
Note the common name against the prompt's hostname.
All of our enterprise users can connect on many different clients.
There's not really a "standard" SSL certificate. Perhaps you're referring to a "default" certificate used by the webserver?
No. I should have said "standard locate". I think both Fedora and CentOS create the folders /etc/pki/tls/{certs,private}, so I assume this means that certs and keys should be store there.
What I typically do is get a real, but free, SSL
certificate from some
place like StartSSL (www.startssl.com), and then copy the key and certificate to the location that's specified for use by dovecot.
My question exactly - is there any reason why one should not do that? Or even more simply, give the locations /etc/pki/tls/{certs,private} in /etc/dovecot/conf.d/10-ssl.conf ?
Where you get or create your cert from is irrelevant.
The error messages indicate a hostname mismatch among other issues, but I cannot help you if you don't provide the answers or data to help you.
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.