Re: [exim] setting up purchased SSL certificates on existing system

2018-05-01 Thread Jasen Betts via Exim-users 
On 2018-04-30, Gary Stainburn via Exim-users  wrote:
> This has to be so simple but I can't get my head round it.

Basically what I do is put all thwe components in a single file 
key, certificate, and chain  and then point exim at that file.
the software allows you to have several files but it's not a
requirement.
 
> My problem is that from my SSL certificate purchase I have an "Intermediate 
> Certificate" and a 'SSL Certificate'. The second of which is apparently 
> formatted for web software including Apache. I did not receive any key files.

Exim uses PEM format certificates (ASCII headers and base64
data)

Just put the intermeidate certificate (or "chain of trust") into the
same file as the certificate. if you have it configured with the key
in a separate file you can continue with that configuration keeping
the key separate.

-- 
 ت

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread Phil Pennock via Exim-users 
On 2018-04-30 at 14:58 +0100, Gary Stainburn via Exim-users wrote:
> I have now purchased (through 123-reg) a SSL certificate and I am trying to 
> install it on the server.

Which method did you use to buy the cert, and are you a "shared hosting
package" customer?

> My problem is that from my SSL certificate purchase I have an "Intermediate 
> Certificate" and a 'SSL Certificate'. The second of which is apparently 
> formatted for web software including Apache. I did not receive any key files.

Did you start from

?

Did you generate a CSR?  From a key?

If you have a key, which _you_ made, then you're good.  If you did not
make the key, but relied upon them to make one, then .. you'll need to
figure out where they put it.

If you used the `-des3` option, then the private key is encrypted.
You'll need to remove that encryption for Exim.  You can look at the
keyfile, it will be in PEM format (I hope!) and so start with
"-BEGIN yada yada" and around about there, it should tell you if
it's encrypted.  If it is, then to decrypt, assuming "roughly normal"
setup:

  (umask 077; openssl rsa -in encrypted.key -out unprotected.key; )

That will prompt for the passphrase, then write the key out unprotected
by encryption.  See below in my reply to Viktor for notes on correct
permissions.

Various other people have given good feedback on how to combine the
certificate with the bundle (append the bundle to the certificate) to
make a complete certificate chain for use.

Once you have those, the process should be roughly the same for both
Exim and Dovecot, just pointing config options at the key/cert.


On 2018-04-30 at 11:13 -0400, Viktor Dukhovni via Exim-users wrote:
> Don't forget a prior "umask 077" to make sure that the key file is NOT
> world-readable.

Be careful.  Exim opens the files as the Exim run-time user, *NOT* as
root!  The tls_* options can depend upon TLS SNI from the client, so are
capable of arbitrary string expansion.  The actual path isn't known
until that point.  Exim will have dropped privileges from root to the
run-time user long before this point.

So while the certificate can be permission 0644 just fine, the _key_
should probably be permission 0640 owner root, group Exim runtime user's
primary group.  Eg, `root:exim`.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread Viktor Dukhovni via Exim-users 


> On Apr 30, 2018, at 10:32 AM, Heiko Schlittermann via Exim-users 
>  wrote:
> 
> Or just combine everything:
> 
>cat CERT-PEM BUNDLE-PEM <(openssl rsa -in KEY-PEM) > DIR/ssl.pem

Don't forget a prior "umask 077" to make sure that the key file is NOT
world-readable.

-- 
Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread Heiko Schlittermann via Exim-users 
Gary Stainburn via Exim-users  (Mo 30 Apr 2018 15:58:52 
CEST):
> I have now purchased (through 123-reg) a SSL certificate and I am trying to 
> install it on the server.
> 
> However, copious Google searches all seem to be bringing up the same few 
> articles, most of which are for specific platforms, e.g. those with cPanel 
> installed.
> 
> tls_certificate = /etc/pki/tls/certs/exim.pem
> tls_privatekey = /etc/pki/tls/private/exim.pem

…
> My problem is that from my SSL certificate purchase I have an "Intermediate 
> Certificate" and a 'SSL Certificate'. The second of which is apparently 
> formatted for web software including Apache. I did not receive any key files.

The intermediate cert(s) are probably in PEM format as the certificate
you bought.

You can concat all files


cat CERT-PEM BUNDLE-PEM KEY-PEM > DIR/ssl.pem

And configure Exim using the same file for everything:
tls_certificate = DIR/ssl.pem
# tls_privatekey = 


Of cause, replace CERT-PEM, BUNDLE-PEM, KEY-PEM, and DIR with the approbiate 
names
Any text (as output from some certificate authorities) doesn't matter,
als long as the lines between 

--- BEGIN whatever ---

--- END whatever --

are left intact.
Keep care to "unprotect" your key:

openssl rsa -in KEY-PEM -out KEY-PEM

Or just combine everything:

cat CERT-PEM BUNDLE-PEM <(openssl rsa -in KEY-PEM) > DIR/ssl.pem

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread Diego Bellini via Exim-users 
Hi,
If you bought a proper SSL certificate and the issuer gave you an intermediate 
certificate, you need to concatenate the certificate with the intermediate 
certificate
Something like this

cat domain.org.crt  intermediate.crt > domain.org.chained.crt

you need to use domain.org.chained.crt as "tls_certificate"

note that if you do
"cat intermediate.crt  domain.org.crt  > domain.org.chained.crt"

This won't work

Kind regards,

Diego Bellini


From: Exim-users 
[mailto:exim-users-bounces+diego.bellini=exponential-e@exim.org] On Behalf 
Of Gary Stainburn via Exim-users
Sent: 30 April 2018 14:59
To: exim-users@exim.org
Subject: [exim] setting up purchased SSL certificates on existing system

This has to be so simple but I can't get my head round it.

I have an existing Cento 7 / Exim server running which I set up some time ago
using self generated certificates.

I have now purchased (through 123-reg) a SSL certificate and I am trying to
install it on the server.

However, copious Google searches all seem to be bringing up the same few
articles, most of which are for specific platforms, e.g. those with cPanel
installed.

Most of these articles discuss a certificate and key pair, and most refer to
the self generation process mentioned above. My exim.conf has the following
lines:

#tls_certificate = /etc/ssl/mail.ringways.co.uk.crt
#tls_privatekey = /etc/ssl/mail.ringways.co.uk.key

tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem

I seem to remember making these changes when I first set up the server using
articles similar to the ones I've just found.

My problem is that from my SSL certificate purchase I have an "Intermediate
Certificate" and a 'SSL Certificate'. The second of which is apparently
formatted for web software including Apache. I did not receive any key files.

Could someone please point me to (easy to understand) instructions on how to
install my new certificate onto Exim (and Dovecot too if possible)


Gary

--
## List details at 
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - 
http://wiki.exim.org/
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread Andrew Colin Kissa via Exim-users 

> On 30 Apr 2018, at 15:58, Gary Stainburn via Exim-users  
> wrote:
> 
> Could someone please point me to (easy to understand) instructions on how to 
> install my new certificate onto Exim (and Dovecot too if possible)

You need to concatenate the certificates together in one file.

cat www.example.com.crt bundle.crt > www.example.com.chained.crt

- A


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread James Gibbard via Exim-users 
Did you generate the CSR for that certificate yourself? The CSR is
generated from the private key, you don't get it from the authority.

On Mon, Apr 30, 2018 at 2:58 PM, Gary Stainburn via Exim-users
 wrote:
> This has to be so simple but I can't get my head round it.
>
> I have an existing Cento 7 / Exim server running which I set up some time ago
> using self generated certificates.
>
> I have now purchased (through 123-reg) a SSL certificate and I am trying to
> install it on the server.
>
> However, copious Google searches all seem to be bringing up the same few
> articles, most of which are for specific platforms, e.g. those with cPanel
> installed.
>
> Most of these articles discuss a certificate and key pair, and most refer to
> the self generation process mentioned above. My exim.conf has the following
> lines:
>
> #tls_certificate = /etc/ssl/mail.ringways.co.uk.crt
> #tls_privatekey = /etc/ssl/mail.ringways.co.uk.key
>
> tls_certificate = /etc/pki/tls/certs/exim.pem
> tls_privatekey = /etc/pki/tls/private/exim.pem
>
> I seem to remember making these changes when I first set up the server using
> articles similar to the ones I've just found.
>
> My problem is that from my SSL certificate purchase I have an "Intermediate
> Certificate" and a 'SSL Certificate'. The second of which is apparently
> formatted for web software including Apache. I did not receive any key files.
>
> Could someone please point me to (easy to understand) instructions on how to
> install my new certificate onto Exim (and Dovecot too if possible)
>
>
> Gary
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/