From bb0c99caa293cfce8dcb8877fe65348dd9b6e60e Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 7 Nov 2013 12:42:07 +0100 Subject: [PATCH] lighttpd: Update SSL configs In particular, this changes some paths and removes the SSL config for mail.stdout.nl which is no longer used. --- etc/lighttpd/lighttpd.conf | 2 +- etc/lighttpd/ssl/README | 17 +++++++++++++---- etc/lighttpd/vhosts/stdin-nl | 2 +- etc/lighttpd/vhosts/stdout-nl | 3 --- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/etc/lighttpd/lighttpd.conf b/etc/lighttpd/lighttpd.conf index 5f20c69..185340d 100644 --- a/etc/lighttpd/lighttpd.conf +++ b/etc/lighttpd/lighttpd.conf @@ -88,7 +88,7 @@ $SERVER["socket"] == ":443" { # certificate used by startcom). It seems that even without this # option, it already works, probably because openssl ships some # certificates. But, let's put it here to be safe anyway. - ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl-all-ca.pem" + ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl/all.pem" # Use the mail.stdin.nl certificate as the default certificate (for # non-SNI browsers and domains without their own certificate), since # it is currently the only one we have anyway. diff --git a/etc/lighttpd/ssl/README b/etc/lighttpd/ssl/README index df25363..87746a5 100644 --- a/etc/lighttpd/ssl/README +++ b/etc/lighttpd/ssl/README @@ -1,6 +1,9 @@ +# Don't forget to update the key in the mail vserver for dovecot as +# well! +# # Generate key 2048 bit rsa key with out passphrase: -DOMAIN=mail.stdout.nl.key +DOMAIN=mail.stdin.nl sudo touch $DOMAIN.key sudo chmod 400 $DOMAIN.key sudo openssl genrsa -out $DOMAIN.key 2048 @@ -10,12 +13,18 @@ sudo openssl req -new -key $DOMAIN.key -out $DOMAIN.csr # After receiving the .crt file from the issuer, make sure you cat the .key # and .crt file together into a .pem file, which lighttpd's ssl.pemfile points -# to. +# to. Don't forget to create the file with 400 first: +sudo touch $DOMAIN.pem +sudo chmod 400 $DOMAIN.pem +sudo sh -c "cat $DOMAIN.key $DOMAIN.crt > $DOMAIN.pem" +# Also create a full chain cert, which is used by dovecot +sudo sh -c "cat $DOMAIN.crt ca/startssl/all.pem > $DOMAIN.crt-chain" # Optionally, you can use a config file to set attributes of the CSR (so you # can leave out stuff like "Location" and "State"). However, when using -# StartSSL, al the details from the CSR will be ignored anyway, so don't -# bother. Anyway, the file to pass to -config should like this: +# StartSSL, al the details (including common name) from the CSR will be ignored +# anyway, so don't bother. Anyway, the file to pass to -config should like +# this: [ req ] distinguished_name = req_distinguished_name diff --git a/etc/lighttpd/vhosts/stdin-nl b/etc/lighttpd/vhosts/stdin-nl index f778be9..c0ed7c9 100644 --- a/etc/lighttpd/vhosts/stdin-nl +++ b/etc/lighttpd/vhosts/stdin-nl @@ -24,7 +24,7 @@ $HTTP["host"] =~ ".stdin.nl$" { $HTTP["host"] == "mail.stdin.nl" { # Specify the certificate for this domain (uses SNI) ssl.pemfile = "/etc/lighttpd/ssl/mail.stdin.nl.pem" - ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl-all-ca.pem" + ssl.ca-file = "/etc/lighttpd/ssl/ca/startssl/all.pem" # Redirect HTTP to HTTPS $HTTP["scheme"] == "http" { url.redirect = ( "^(.*)" => "https://mail.stdin.nl$1" ) diff --git a/etc/lighttpd/vhosts/stdout-nl b/etc/lighttpd/vhosts/stdout-nl index 1bd9fb8..5d6a971 100644 --- a/etc/lighttpd/vhosts/stdout-nl +++ b/etc/lighttpd/vhosts/stdout-nl @@ -10,9 +10,6 @@ $HTTP["host"] =~ ".stdout.nl$" { )) ) - $HTTP["host"] == "mail.stdout.nl" { - # Specify the certificate for this domain (uses SNI) - ssl.pemfile = "/etc/lighttpd/ssl/mail.stdout.nl.pem" } $HTTP["url"] =~ "^/static/tmp/" { -- 2.30.2