Daniel Pocock <daniel <at> pocock.pro> writes: > I looked at the package ssl-cert to try and understand and there I found > that it is using /etc/ssl/certs for server certs while other packages
Do NOT do that. It’s causing trouble because some software (e.g. Gajim) reads all files under /etc/ssl/certs/ not just the hashed ones – presumably because OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both). My suggestion is: /etc/ssl/private/foo.key ← 0640 root:ssl-cert, secret key /etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH parameters /etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root certificate Then make sure to use the same “foo”. bye, //mirabilos