SSL certificates

Chris Mattingly chris at camattin.com
Tue Mar 1 09:55:43 EST 2011 

  I use a GoDaddy 2048bit cert on my personal server with no issues.  In 
imapd.conf I have set the following:

tls_cert_file: /etc/pki/cyrus-imapd/<domain>.crt
tls_key_file: /etc/pki/cyrus-imapd/server.key
tls_ca_file: /etc/pki/cyrus-imapd/gd_intermediate_bundle.crt

(I think this one is only for authorizing inbound client certs)
tls_ca_path: /etc/ssl/certs

My gd_intermediate_bundle.crt contains the 2 intermediates and the root 
certs in PEM format, cat'd together.  Order shouldn't be significant, 
but in mine, the order is (by cert subject):
CN=Go Daddy Secure Certification Authority/serialNumber=07969287
C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification 
Authority
L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 
Policy Validation Authority, 
CN=http://www.valicert.com//emailAddress=info@valicert.com

Basically listed in the 'correct' order of the chain.

To Kevin's point about the private key, I agree that you should remove 
the passphrase from your key.  It will only cause complications with 
startup.

Hope this helps,
-Chris


On 3/1/2011 9:22 AM, Kevin Kobb wrote:
> On 2/28/2011 9:44 AM, Anthony Tibbs wrote:
>> Good morning,
>>
>> I've been running Cyrus at a couple of small sites since 2001 or so.
>> I've run into a snag trying to setup SSL using something other than the
>> self-signed, auto-generated certificate. The domain has a GoDaddy
>> 2048-bit SSL certificate. From the SSL manager, one downloads a bundle
>> that contains a certificate chain bundle, and a separate file with the
>> certificate for the domain itself.
>>
>> The key and CSR was generated with:
>>
>> openssl genrsa -des3 -out xxx.key 2048
>> openssl req -new -key xxx.key -out xxx.csr
>>
>> I've seen a few different methodologies posted about how to install
>> this. One is to conctenate the domain certificate, the certificate
>> chain, and the private key into one .pem file and set tls_cert_file,
>> tls_ca_file, and tls_key_file to point to the same '.pem' file. Another
>> is to keep the files completely separate.
>>
>> No matter what I have tried, I've been unsuccessful. Thunderbird reports
>> that it received an SSL record that is too long, and/or the imapd
>> process becomes stuck at 100% CPU utilization until it is killed forcibly.
>>
>> Is there something I'm missing on this?
>>
>> - Anthony
>>
>>
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> Couple of things you might look at. First, I think you need to drop the
> -des3 option when you create the private key. Do something like:
> openssl genrsa -out xxx.key 2048 instead. Otherwise, you wind up with an
> encrypted private key that needs a pass phrase every time you start the
> server. I didn't think Cyrus would even start with a key like this.
> Apache is about the only thing I've used that would prompt you for a
> pass phrase on start up.
>
> To remove the key pass phrase you can do something like:
> openssl rsa -in xxx.key -out xxx.key.nopass
>
> I haven't used GoDaddy certs for a while because you had the extra
> hassle of dealing with intermediate certificates, and I can get
> single-root certs cheaper. That being said, I believe all you should
> need to do is cat the signed cert and the intermediate cert together,
> and use this for the tls_cert_file: value in imapd.conf. Point the
> tls_key_file: value to your private key, and that should do it.
>
> This is all off the top of my head and a sick child meant I only got
> about 3 hours of sleep last night, so please make copies of everything
> before trying any of this!
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

More information about the Info-cyrus mailing list