SSL certificates

Kevin Kobb kkobb at skylinecorp.com
Tue Mar 1 09:22:34 EST 2011 

On 2/28/2011 9:44 AM, Anthony Tibbs wrote:
> Good morning,
>
> I've been running Cyrus at a couple of small sites since 2001 or so.
> I've run into a snag trying to setup SSL using something other than the
> self-signed, auto-generated certificate. The domain has a GoDaddy
> 2048-bit SSL certificate. From the SSL manager, one downloads a bundle
> that contains a certificate chain bundle, and a separate file with the
> certificate for the domain itself.
>
> The key and CSR was generated with:
>
> openssl genrsa -des3 -out xxx.key 2048
> openssl req -new -key xxx.key -out xxx.csr
>
> I've seen a few different methodologies posted about how to install
> this. One is to conctenate the domain certificate, the certificate
> chain, and the private key into one .pem file and set tls_cert_file,
> tls_ca_file, and tls_key_file to point to the same '.pem' file. Another
> is to keep the files completely separate.
>
> No matter what I have tried, I've been unsuccessful. Thunderbird reports
> that it received an SSL record that is too long, and/or the imapd
> process becomes stuck at 100% CPU utilization until it is killed forcibly.
>
> Is there something I'm missing on this?
>
> - Anthony
>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

Couple of things you might look at. First, I think you need to drop the 
-des3 option when you create the private key. Do something like:
openssl genrsa -out xxx.key 2048 instead. Otherwise, you wind up with an 
encrypted private key that needs a pass phrase every time you start the 
server. I didn't think Cyrus would even start with a key like this. 
Apache is about the only thing I've used that would prompt you for a 
pass phrase on start up.

To remove the key pass phrase you can do something like:
openssl rsa -in xxx.key -out xxx.key.nopass

I haven't used GoDaddy certs for a while because you had the extra 
hassle of dealing with intermediate certificates, and I can get 
single-root certs cheaper. That being said, I believe all you should 
need to do is cat the signed cert and the intermediate cert together, 
and use this for the tls_cert_file: value in imapd.conf. Point the 
tls_key_file: value to your private key, and that should do it.

This is all off the top of my head and a sick child meant I only got 
about 3 hours of sleep last night, so please make copies of everything 
before trying any of this!

More information about the Info-cyrus mailing list