Re: dumb question about SSL
On Sat, Jan 12, 2019 at 09:27:01AM +, Joe wrote: > > Apache should be quite happy with the 'snakeoil' certificate made by > Debian when it is installed. Which should not be used in production or even in testing, as it increases the likelihood that it will accidentally be deployed that way. > There are a couple of other things that > need to be done for SSL to work (such as enabling the Apache SSL > module) and it's long enough ago that I did it last that you had better > look up a few tutorials. If you need to make your web server available > publicly (and the best of luck if you have the courage to do that) then > its certificate must be traceable back to a public CA. > That depends on who will be accessing the server in a way that requires trusting the server. A self-managed CA or even a self-signed certificate may be perfectly adequate for a single user or small number of users. Regards, -Roberto -- Roberto C. Sánchez
Re: dumb question about SSL
On Fri, 11 Jan 2019 22:17:05 + mick crane wrote: > I'm having a bit of bother with my home server thingy. > does apache, roundcube, dovecot, cups. > is buster. > Is problem with roundcube communicating with dovecot or something. > sending mail times out and the settings webpage isn't working whereas > it was fine a week ago. > > It occurs to me I don't really understand how SSL works and if > problem I have might be to do with that not understanding. > You can make a self signed certificate, a public, private pair > Apache says you can make one and Dovecot says you can make one. > So are these SSL pairs separate things or one thing in one place that > identifies the machine. > What happens if connect to running apache over encryption then > connect to running dovecot over webmail with encryption, does it > expect different keys ? > I'm a bit confused about it. > are the keys particular to the machine ? the domain ? the software ? > To begin with, Debian will normally make the keys required by the programs that actually need them, such as Apache and most mail servers. Some programs don't need keys, but can use them (such as FreeRADIUS and OpenVPN) so you then generally need to make them yourself. The EasyRSA program makes that, as you would expect, easier, but if you intend to make any but the most casual use of certificates, you ought to understand what's going on, and should read a few OpenSSL tutorials. A program used on the Net (pretty much just browsers) needs to be able to trace the keys it finds back to a Certificate Authority that it knows about i.e. a public one. Internal client-server programs don't generally need to, so self-signed keys are OK. In fact, where keys are used for authentication, such as with OpenVPN and FreeRADIUS, a private Certificate Authority is vital. If OpenVPN will accept any client key signed by a particular CA, then you need to keep that CA private, not even sharing it with other programs on the same server. > I dunno what I've done. I think I made some keys for apache the other > day to see if I could get ssl working ( is just local so I don't > really need it, but anyway ) but perhaps I made keys from dovecot > documentation a year or so ago. > Apache should be quite happy with the 'snakeoil' certificate made by Debian when it is installed. There are a couple of other things that need to be done for SSL to work (such as enabling the Apache SSL module) and it's long enough ago that I did it last that you had better look up a few tutorials. If you need to make your web server available publicly (and the best of luck if you have the courage to do that) then its certificate must be traceable back to a public CA. > Perhaps there might be an issue that I changed my local domain from > "local" to "home" in that time. Could that have anything to do with > it ? > > Should I delete all the ssl directories I can find to see if that > helps ? Probably not, just do a bit of reading. Note that Apache can also use client certificates for authentication, a completely separate subject, bear that in mind when you look for tutorials. -- Joe
Re: dumb question about SSL
On Fri, Jan 11, 2019 at 10:17:05PM +, mick crane wrote: > I'm having a bit of bother with my home server thingy. > does apache, roundcube, dovecot, cups. > is buster. > Is problem with roundcube communicating with dovecot or something. sending > mail times out and the settings webpage isn't working whereas it was fine a > week ago. > > It occurs to me I don't really understand how SSL works and if problem I > have might be to do with that not understanding. > You can make a self signed certificate, a public, private pair > Apache says you can make one and Dovecot says you can make one. > So are these SSL pairs separate things or one thing in one place that > identifies the machine. > What happens if connect to running apache over encryption then connect to > running dovecot over webmail with encryption, does it expect different keys > ? > I'm a bit confused about it. > are the keys particular to the machine ? the domain ? the software ? > > I dunno what I've done. I think I made some keys for apache the other day to > see if I could get ssl working ( is just local so I don't really need it, > but anyway ) but perhaps I made keys from dovecot documentation a year or so > ago. > > Perhaps there might be an issue that I changed my local domain from "local" > to "home" in that time. Could that have anything to do with it ? > There are so many variables involved here that it is difficult to guess at what is going wrong. Please post specific error messages that you are seeing, either in your client applications or in the server logs. > Should I delete all the ssl directories I can find to see if that helps ? > That sounds rather extreme and seems likely to result in causing a different set of problems. I taught a class a little over two years ago specifically on SSL certificate authority and server/client certificate creation and deployment. If you contact me off-list, I can email you the documentation (I never got around to posting it online). You might find some useful things in there. Regards, -Roberto -- Roberto C. Sánchez
dumb question about SSL
I'm having a bit of bother with my home server thingy. does apache, roundcube, dovecot, cups. is buster. Is problem with roundcube communicating with dovecot or something. sending mail times out and the settings webpage isn't working whereas it was fine a week ago. It occurs to me I don't really understand how SSL works and if problem I have might be to do with that not understanding. You can make a self signed certificate, a public, private pair Apache says you can make one and Dovecot says you can make one. So are these SSL pairs separate things or one thing in one place that identifies the machine. What happens if connect to running apache over encryption then connect to running dovecot over webmail with encryption, does it expect different keys ? I'm a bit confused about it. are the keys particular to the machine ? the domain ? the software ? I dunno what I've done. I think I made some keys for apache the other day to see if I could get ssl working ( is just local so I don't really need it, but anyway ) but perhaps I made keys from dovecot documentation a year or so ago. Perhaps there might be an issue that I changed my local domain from "local" to "home" in that time. Could that have anything to do with it ? Should I delete all the ssl directories I can find to see if that helps ? mick -- Key ID4BFEBB31
