qmail-1.03-3.3.9 It has eliminated the need for dh and rsa keys
Eric On Mon, Apr 15, 2024 at 10:44 AM Eric Broch <ebr...@whitehorsetc.com> wrote: > Neither, > > /var/qmail/control/dh2048.pem > /var/qmail/control/rsa2048.pem > > On 4/15/2024 10:33 AM, Gary Bowling wrote: > > > Thanks, will still require rsa? > > > On 4/15/2024 10:47 AM, Eric Broch wrote: > > My next iteration on EL9 will remove keysize it's deprecated, has been for > a while. Should have the new code out within the week. > > SSL_CTX_set_tmp_rsa_callback · openssl/openssl · Discussion #23769 > (github.com) <https://github.com/openssl/openssl/discussions/23769> > > > On 4/15/2024 6:25 AM, Gary Bowling wrote: > > > Hey Jeff, glad you're making progress. Be aware that when you get a new > cert from Letsencrypt that the default now retrieves an ECDSA cert. Which > is fine for apache, but doesn't work on qmail, or at least it didn't for > me. To fix that you'll need to configure letsencrypt to give you an RSA > 2048 cert. > > > There are two ways to do that. If you want all your certs to be RSA 2048, > you can add this to the /etc/letsencrypt/cli.ini file. > > key-type = rsa > rsa-key-size = 2048 > > > If you just want to do that for your keys you use in qmail, then you can > put the above in the /etc/letsencrypt/renewal/domain.conf file. Where > "domain" is the name of the cert you're renewing. Certbot creates the file > so it should already be there. > > > Gary > > > On 4/14/2024 10:39 PM, Jeff Koch wrote: > > I may have resolved this. I did the Rocy9 distro install of apache and > copied the mod_http2.so file over to our install of apache. Seems to work > (no errors) but I won't know for sure until we setup Lets Encrypt SSL > certbot tomorrow > > Jeff > > On 4/14/2024 3:11 PM, Jeff Koch wrote: > > > Hi - we're setting up a new mailserver with Rocky 9 and the learning curve > is slow as is usual with the first time with a new distro. > > Anyway because our various scripts look for apache at /usr/local/apache/ > we've decided to compile our own binary with the latest apache and have run > into trouble / errors related to 'nghttp2'. > > We did download, compile and install the latest nghttp2-1.61.0 from > github. The configure and make went well and http1.1 works but apache > generates the following error when we activate mod_http2 > > (Cannot load modules/mod_http2.so into server: > /usr/local/apache2/modules/mod_http2.so: undefined symbol: > nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation) > > If anyone on the list has compiled their own httpd 2.4.59 with Rocky 9 > would you mind sharing the details ? > > Thanks, Jeff Koch > > > > --------------------------------------------------------------------- To > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For > additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > --------------------------------------------------------------------- To > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For > additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > >
