Secure Web/Mail/Database with certificate
Web/Mail/Database can use the same certificate to allow its client to connect to the server.
Postfix:
|
1 2 3 |
postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/cert.pem' postconf -e smtpd_tls_key_file='/etc/pki/tls/private/privkey.pem' postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/fullchain.pem' |
Dovecot (POP3/IMAP server)
SSL certificate settings are defined in Dovecot main config file, /etc/dovecot/dovecot.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot.conf (FreeBSD):
|
1 2 3 4 5 |
ssl = required ssl_cert = </etc/pki/tls/certs/cert.pem ssl_key = </etc/pki/tls/private/privkey.pem ssl_ca = </etc/pki/tls/certs/fullchain.pem |
Restarting Dovecot service is required.
Apache (web server)
- On RHEL/CentOS, SSL certificate is defined in
/etc/httpd/conf.d/ssl.conf. - On Debian/Ubuntu, it’s defined in
/etc/apache2/sites-available/default-ssl(ordefault-ssl.conf) - On FreeBSD, it’s defined in
/usr/local/etc/apache24/extra/httpd-ssl.conf. Note: if you’re running different version of Apache, the path will be slightly different (apache24will beapache[_version_]). - On OpenBSD, if you’re running OpenBSD 5.5 or earlier releases, it’s defined in
/var/www/conf/httpd.conf. Note: OpenBSD 5.6 and later releases don’t ship Apache anymore.
Example:
|
1 2 3 4 |
SSLCertificateFile /etc/pki/tls/certs/cert.pem SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem SSLCertificateChainFile /etc/pki/tls/certs/fullchain.pem |
Restarting Apache service is required.
Nginx (web server)
- On Linux and OpenBSD, it’s defined in
/etc/nginx/templates/ssl.tmpl(or/etc/nginx/conf.d/default.confon old iRedMail release) - On FreeBSD, it’s defined in
/usr/local/etc/nginx/templates/ssl.tmpl(or/usr/local/etc/nginx/conf.d/default.confon old iRedMail release)
|
1 2 3 4 5 6 7 8 9 |
server { listen 443; ... ssl on; ssl_certificate /etc/pki/tls/certs/cert.pem; ssl_certificate_key /etc/pki/tls/private/privkey.pem; ... } |
Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
|
1 2 3 |
# cd /etc/pki/tls/certs/ # cat cert.pem fullchain.pem > server.chained.crt |
Then update ssl_certificate parameter in /etc/nginx/conf.d/default.conf:
|
1 2 |
ssl_certificate /etc/pki/tls/certs/server.chained.crt; |
Restarting Nginx service is required.
MySQL, MariaDB
If MySQL/MariaDB is listening on localhost and not accessible from external network, this is OPTIONAL.
- On Red Hat and CentOS, it’s defined in
/etc/my.cnf - On Debian and Ubuntu, it’s defined in
/etc/mysql/my.cnf.- Since Ubuntu 15.04, it’s defined in
/etc/mysql/mariadb.conf.d/mysqld.cnf.
- Since Ubuntu 15.04, it’s defined in
- On FreeBSD, it’s defined in
/usr/local/etc/my.cnf. - On OpenBSD, it’s defined in
/etc/my.cnf.
|
1 2 3 4 5 6 |
[mysqld] ssl-ca = /etc/pki/tls/certs/fullchain.pem ssl-cert = /etc/pki/tls/certs/cert.pem ssl-key = /etc/pki/tls/private/privkey.pem |
Source:
https://docs.iredmail.org/use.a.bought.ssl.certificate.html
Leave a Reply