I'm not sure how many are using EL8, but I'll have that ready in a couple days
On Mon, Apr 15, 2024 at 8:47 PM Eric Broch <ebroch.w...@gmail.com> wrote: > qmail-1.03-3.3.9 > > It has eliminated the need for dh and rsa keys > > Eric > > On Mon, Apr 15, 2024 at 10:44 AM Eric Broch <ebr...@whitehorsetc.com> > wrote: > >> Neither, >> >> /var/qmail/control/dh2048.pem >> /var/qmail/control/rsa2048.pem >> >> On 4/15/2024 10:33 AM, Gary Bowling wrote: >> >> >> Thanks, will still require rsa? >> >> >> On 4/15/2024 10:47 AM, Eric Broch wrote: >> >> My next iteration on EL9 will remove keysize it's deprecated, has been >> for a while. Should have the new code out within the week. >> >> SSL_CTX_set_tmp_rsa_callback · openssl/openssl · Discussion #23769 >> (github.com) <https://github.com/openssl/openssl/discussions/23769> >> >> >> On 4/15/2024 6:25 AM, Gary Bowling wrote: >> >> >> Hey Jeff, glad you're making progress. Be aware that when you get a new >> cert from Letsencrypt that the default now retrieves an ECDSA cert. Which >> is fine for apache, but doesn't work on qmail, or at least it didn't for >> me. To fix that you'll need to configure letsencrypt to give you an RSA >> 2048 cert. >> >> >> There are two ways to do that. If you want all your certs to be RSA 2048, >> you can add this to the /etc/letsencrypt/cli.ini file. >> >> key-type = rsa >> rsa-key-size = 2048 >> >> >> If you just want to do that for your keys you use in qmail, then you can >> put the above in the /etc/letsencrypt/renewal/domain.conf file. Where >> "domain" is the name of the cert you're renewing. Certbot creates the file >> so it should already be there. >> >> >> Gary >> >> >> On 4/14/2024 10:39 PM, Jeff Koch wrote: >> >> I may have resolved this. I did the Rocy9 distro install of apache and >> copied the mod_http2.so file over to our install of apache. Seems to work >> (no errors) but I won't know for sure until we setup Lets Encrypt SSL >> certbot tomorrow >> >> Jeff >> >> On 4/14/2024 3:11 PM, Jeff Koch wrote: >> >> >> Hi - we're setting up a new mailserver with Rocky 9 and the learning >> curve is slow as is usual with the first time with a new distro. >> >> Anyway because our various scripts look for apache at /usr/local/apache/ >> we've decided to compile our own binary with the latest apache and have run >> into trouble / errors related to 'nghttp2'. >> >> We did download, compile and install the latest nghttp2-1.61.0 from >> github. The configure and make went well and http1.1 works but apache >> generates the following error when we activate mod_http2 >> >> (Cannot load modules/mod_http2.so into server: >> /usr/local/apache2/modules/mod_http2.so: undefined symbol: >> nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation) >> >> If anyone on the list has compiled their own httpd 2.4.59 with Rocky 9 >> would you mind sharing the details ? >> >> Thanks, Jeff Koch >> >> >> >> --------------------------------------------------------------------- To >> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >> --------------------------------------------------------------------- To >> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >>
