lighttpd: Update SSL configs

In particular, this changes some paths and removes the SSL config for
mail.stdout.nl which is no longer used.

diff --git a/etc/lighttpd/lighttpd.conf b/etc/lighttpd/lighttpd.conf
index 5f20c6970a2f1c2fe78946a69b1864386ddec614..185340dd0119d8789fa72e31b97b5fc9168ed540 100644 (file)
--- a/etc/lighttpd/lighttpd.conf
+++ b/etc/lighttpd/lighttpd.conf
@@ -88,7 +88,7 @@ $SERVER["socket"] == ":443" {
        # certificate used by startcom). It seems that even without this
        # option, it already works, probably because openssl ships some
        # certificates. But, let's put it here to be safe anyway.
-       ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl-all-ca.pem"
+       ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl/all.pem"
        # Use the mail.stdin.nl certificate as the default certificate (for
        # non-SNI browsers and domains without their own certificate), since
        # it is currently the only one we have anyway.

diff --git a/etc/lighttpd/ssl/README b/etc/lighttpd/ssl/README
index df253633ee7a67163388a0ed1d133d8e8115a8d4..87746a5a9eaf4a0d6ec74cef5b912d58f9ba175b 100644 (file)
--- a/etc/lighttpd/ssl/README
+++ b/etc/lighttpd/ssl/README
@@ -1,6 +1,9 @@
+# Don't forget to update the key in the mail vserver for dovecot as
+# well!
+#
 # Generate key 2048 bit rsa key with out passphrase:
 
-DOMAIN=mail.stdout.nl.key
+DOMAIN=mail.stdin.nl
 sudo touch $DOMAIN.key
 sudo chmod 400 $DOMAIN.key
 sudo openssl genrsa  -out $DOMAIN.key 2048
@@ -10,12 +13,18 @@ sudo openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
 
 # After receiving the .crt file from the issuer, make sure you cat the .key
 # and .crt file together into a .pem file, which lighttpd's ssl.pemfile points
-# to.
+# to. Don't forget to create the file with 400 first:
+sudo touch $DOMAIN.pem
+sudo chmod 400 $DOMAIN.pem
+sudo sh -c "cat $DOMAIN.key $DOMAIN.crt > $DOMAIN.pem"
+# Also create a full chain cert, which is used by dovecot
+sudo sh -c "cat $DOMAIN.crt ca/startssl/all.pem > $DOMAIN.crt-chain"
 
 # Optionally, you can use a config file to set attributes of the CSR (so you
 # can leave out stuff like "Location" and "State"). However, when using
-# StartSSL, al the details from the CSR will be ignored anyway, so don't
-# bother. Anyway, the file to pass to -config should like this:
+# StartSSL, al the details (including common name) from the CSR will be ignored
+# anyway, so don't bother. Anyway, the file to pass to -config should like
+# this:
 
 [ req ]
 distinguished_name     = req_distinguished_name

diff --git a/etc/lighttpd/vhosts/stdin-nl b/etc/lighttpd/vhosts/stdin-nl
index f778be996cfc1cd33e5cabd31d520bd2362f6197..c0ed7c9679e7cadcf2feb2c74a6526062e8aea1c 100644 (file)
--- a/etc/lighttpd/vhosts/stdin-nl
+++ b/etc/lighttpd/vhosts/stdin-nl
@@ -24,7 +24,7 @@ $HTTP["host"] =~ ".stdin.nl$" {
        $HTTP["host"] == "mail.stdin.nl" {
                # Specify the certificate for this domain (uses SNI)
                ssl.pemfile = "/etc/lighttpd/ssl/mail.stdin.nl.pem" 
-               ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl-all-ca.pem"
+               ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl/all.pem"
                # Redirect HTTP to HTTPS
                $HTTP["scheme"] == "http" {
                    url.redirect = ( "^(.*)" => "https://mail.stdin.nl$1" )

diff --git a/etc/lighttpd/vhosts/stdout-nl b/etc/lighttpd/vhosts/stdout-nl
index 1bd9fb89273b98e98521fefbe28428ffdfa20c07..5d6a971630a48f58ab94ffe0aa53a72f7c1183e0 100644 (file)
--- a/etc/lighttpd/vhosts/stdout-nl
+++ b/etc/lighttpd/vhosts/stdout-nl
@@ -10,9 +10,6 @@ $HTTP["host"] =~ ".stdout.nl$" {
                ))
        )
 
-       $HTTP["host"] == "mail.stdout.nl" {
-               # Specify the certificate for this domain (uses SNI)
-               ssl.pemfile = "/etc/lighttpd/ssl/mail.stdout.nl.pem" 
        }
 
        $HTTP["url"] =~ "^/static/tmp/" {