Re: question about man starttls and linking to cert.pem
On Sun, 11 Aug 2019 16:03:39 +0200, Gilles Chehade wrote: > It's interesting to have instruction for generating self-signed cert but > most people will want a cert that others will validate so it makes sense > to at least extend the man page (in another diff) in my opinion. And if we do that we should also at least mention MTA-STS. - todd
Re: question about man starttls and linking to cert.pem
On Sun, Aug 11, 2019 at 07:17:06AM -0600, Todd C. Miller wrote: > On Sat, 10 Aug 2019 22:22:05 -0400, "Ted Unangst" wrote: > > > That entire section seems dumb and outdated. I would prefer we > > simply not give any advice here. Users can figure out what they > > need to do. Installing the public cert needs to be done on many > > other machines, not just the one where its generated. > > Fine with me. I wonder if we shouldn't also mention acme-client > here too. Something for another diff... > I was wondering the same actually. It's interesting to have instruction for generating self-signed cert but most people will want a cert that others will validate so it makes sense to at least extend the man page (in another diff) in my opinion. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: question about man starttls and linking to cert.pem
On Sat, 10 Aug 2019 22:22:05 -0400, "Ted Unangst" wrote: > That entire section seems dumb and outdated. I would prefer we > simply not give any advice here. Users can figure out what they > need to do. Installing the public cert needs to be done on many > other machines, not just the one where its generated. Fine with me. I wonder if we shouldn't also mention acme-client here too. Something for another diff... - todd
Re: question about man starttls and linking to cert.pem
Thanks, that had me confused when I read it, so I just ignored it. Glad to know I did, as in didn't, do what it suggested except once. Chris Bennett
Re: question about man starttls and linking to cert.pem
freda_bundc...@nym.hush.com wrote: > Description: > man starttls says one can link a new certificate to cert.pem with > ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not > intend That entire section seems dumb and outdated. I would prefer we simply not give any advice here. Users can figure out what they need to do. Installing the public cert needs to be done on many other machines, not just the one where it's generated. Index: starttls.8 === RCS file: /home/cvs/src/share/man/man8/starttls.8,v retrieving revision 1.26 diff -u -p -r1.26 starttls.8 --- starttls.8 27 Jun 2018 05:39:02 - 1.26 +++ starttls.8 11 Aug 2019 02:20:01 - @@ -102,18 +102,6 @@ with the following command: .Pp .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text .Pp -If you don't intend to use TLS for authentication (and if you are using -self-signed certificates you probably don't) you can simply link -your new certificate to -.Pa cert.pem : -.Pp -.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem -.Pp -If, on the other hand, you intend to use TLS for authentication -you should add your certificate authority bundle to -.Pa /etc/ssl/cert.pem -(or whatever your software expects). -.Pp Because the private key files are unencrypted, MTAs can be picky about using tight permissions on those files. The certificate directory and the files therein should be
question about man starttls and linking to cert.pem
Synopsis:man starttls linking new certificate to cert.pem problem Category:documentation Environment: System : OpenBSD 6.5 Details : OpenBSD 6.5-current (GENERIC.MP) #184: Wed Aug 7 21:37:16 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 Description: man starttls says one can link a new certificate to cert.pem with ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not intend but link will fail since /etc/ssl/cert.pem exists already How-To-Repeat: man starttls I apologize, maybe it's not an error at all, so I'm writing to misc instead of bugs. I don't understand why one create this link, and I haven't been able to find an explanation on the lists or elsewhere. Any explanation would be greatly appreciated. The reason I am asking about it is that I am forwarding all mail from one server to another using starttls and opensmtpd, and it works fine with tls no-verify without creating the link to cert.pem. Also, if one does create the link (perhaps backing up cert.pem first) then sysupgrade will fail since it expects the original cert.pem. Also if running unbound, one would need to use the original cert.pem (or whatever it was renamed to) if using tls-bundle and DNS-over-TLS, I think.