Feb 19 12:54:15 www postfix/qmgr[22890]: 5E0A41600D6: removed Feb 19 12:54:40 www dovecot[5285]: pop3-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert Feb 19 12:54:40 www dovecot[5282]: master: Error: service(pop3-login): command startup failed, throttling for 4 secs |o/ | / \ I give up On 02/19/2016 12:51 PM, Marcus Meissner wrote:

On Fri, Feb 19, 2016 at 12:41:10PM -0500, Ruben Safir wrote:

...

/etc/ssl/certs/dovecot.pem

where did it go?

I just did the security upgraded and suddenly dovecot stops working

Feb 19 12:28:44 www su[4289]: (to root) ruben on pts/4 Feb 19 12:29:04 www systemd[1]: Cannot add dependency job for unit systemd-udev-root-symlink.service, ignoring: Unit systemd-udev-root-symlink.service failed to load: Invalid argument. See system logs and 'systemctl status systemd-udev-root-symlink.service' for details. Feb 19 12:29:25 www dovecot[19575]: config: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_cert: Can't open file /etc/ssl/certs/dovecot.pem: No such file or directory Feb 19 12:29:25 www dovecot[19572]: master: Error: service(config): command startup failed, throttling for 60 secs Feb 19 12:29:25 www dovecot[19575]: pop3-login: Fatal: Error reading configuration: read(/var/run/dovecot/config) failed: Connection reset by peer Feb 19 12:29:25 www dovecot[19572]: master: Error: service(pop3-login): command startup failed, throttling for 60 secs Feb 19 12:29:49 www postfix/smtpd[4270]: NOQUEUE: reject: RCPT from unknown[177.223.12.14]: 554 5.7.1 Service unavailable; Client host [177.223.12.14] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/177.223.12.14; from= to= proto=SMTP helo=<177.223.12.14.itanet.psi.br>

/etc/ssl/certs is cleared by update-ca-certificates.

If you want to place your own cert, put it to

/usr/share/pki/trust/

and run update-ca-certificates

This should create a symlink to your certificate in /etc/ssl/certs/

Ciao, Marcus

-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 12:51 PM, Marcus Meissner wrote:

On Fri, Feb 19, 2016 at 12:41:10PM -0500, Ruben Safir wrote:

...

/etc/ssl/certs/dovecot.pem

where did it go?

security updates are best when they do NOT wipe out the popmail server.

...

I just did the security upgraded and suddenly dovecot stops working

Feb 19 12:28:44 www su[4289]: (to root) ruben on pts/4 Feb 19 12:29:04 www systemd[1]: Cannot add dependency job for unit systemd-udev-root-symlink.service, ignoring: Unit systemd-udev-root-symlink.service failed to load: Invalid argument. See system logs and 'systemctl status systemd-udev-root-symlink.service' for details. Feb 19 12:29:25 www dovecot[19575]: config: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_cert: Can't open file /etc/ssl/certs/dovecot.pem: No such file or directory Feb 19 12:29:25 www dovecot[19572]: master: Error: service(config): command startup failed, throttling for 60 secs Feb 19 12:29:25 www dovecot[19575]: pop3-login: Fatal: Error reading configuration: read(/var/run/dovecot/config) failed: Connection reset by peer Feb 19 12:29:25 www dovecot[19572]: master: Error: service(pop3-login): command startup failed, throttling for 60 secs Feb 19 12:29:49 www postfix/smtpd[4270]: NOQUEUE: reject: RCPT from unknown[177.223.12.14]: 554 5.7.1 Service unavailable; Client host [177.223.12.14] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/177.223.12.14; from= to= proto=SMTP helo=<177.223.12.14.itanet.psi.br>

/etc/ssl/certs is cleared by update-ca-certificates.

If you want to place your own cert, put it to

/usr/share/pki/trust/

and run update-ca-certificates

This should create a symlink to your certificate in /etc/ssl/certs/

Ciao, Marcus

-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Does that look right? #!/bin/sh # Generates a self-signed certificate. # Edit dovecot-openssl.cnf before running this. OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=/usr/share/doc/packages/dovecot/dovecot-openssl.cnf CERTDIR=/usr/share/pki/trust/ KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.pem KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi if [ ! -d $KEYDIR ]; then echo "$SSLDIR/private directory doesn't exist" exit 1 fi if [ -f $CERTFILE ]; then echo "$CERTFILE already exists, won't overwrite" exit 1 fi if [ -f $KEYFILE ]; then echo "$KEYFILE already exists, won't overwrite" exit 1 fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 On 02/19/2016 01:13 PM, Carlos E. R. wrote:

On 02/19/2016 06:51 PM, Marcus Meissner wrote:

...

On Fri, Feb 19, 2016 at 12:41:10PM -0500, Ruben Safir wrote:

...

/etc/ssl/certs/dovecot.pem

where did it go?

...

/etc/ssl/certs is cleared by update-ca-certificates.

If you want to place your own cert, put it to

/usr/share/pki/trust/

and run update-ca-certificates

This should create a symlink to your certificate in /etc/ssl/certs/

The dovecot certificate is usually created using the script provided by the package itself, /usr/share/doc/packages/dovecot/mkcert.sh, which creates:

/etc/ssl/certs/dovecot.pem /etc/ssl/private/dovecot.pem

If it should go to "/usr/share/pki/trust/", I think this would be a bug. Also, perhaps the default configuration of dovecot should be changed so that it finds the certificates in the new location.

On the other hand, in "/etc/ssl/certs/" I have certificates dating from 2005 which have not been deleted by the many updates since then. Why now?

-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 01:36 PM, Carlos E. R. wrote:

On 02/19/2016 07:25 PM, Ruben Safir wrote:

...

Does that look right?

#!/bin/sh

# Generates a self-signed certificate. # Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} <=== unsure. OPENSSLCONFIG=/usr/share/doc/packages/dovecot/dovecot-openssl.cnf

CERTDIR=/usr/share/pki/trust/ KEYDIR=$SSLDIR/private

The private doesn't look right.

Of course, creating a new certificate means that all your clients will have to manually accept it. To avoid this, you'd have to recover the old certificates from backup, and postpone the new destination till they expire.

updae-ca-certificates doesn't work www:~ # update-ca-certificates --v running /usr/lib/ca-certificates/update.d/50java.run ... creating /var/lib/ca-certificates/java-cacerts ... running /usr/lib/ca-certificates/update.d/70openssl.run ... creating /var/lib/ca-certificates/openssl ... running /usr/lib/ca-certificates/update.d/80etc_ssl.run ... running /usr/lib/ca-certificates/update.d/99certbundle.run ... creating /var/lib/ca-certificates/ca-bundle.pem ... I don't understand? It want my private key in /usr/share/pki/trust instead of in /etc/ssl/private? -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 01:54 PM, Carlos E. R. wrote:

On 02/19/2016 07:39 PM, Ruben Safir wrote:

...

updae-ca-certificates doesn't work

Did you run the mkcert.sh script first?

Yes, and I edited and I also edited the config file that it said to edit in the docs... in the packages ... and I posted the edited mkcert.sh file according to the desired directory for the the key into the /usr directory. In the end I ended up shifting all the links and files around by hand so it can be wiped out on the next update. Why does ANYONE touch my certficate files. On BTW - it creates a pem file private key but the /etc/dovecot/conf.d/10-ssl.conf is looking for .key file... so something had to change. sigh -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 08:24 PM, John Andersen wrote:

On 2/19/2016 11:00 AM, Ruben Safir wrote:

...

In the end I ended up shifting all the links and files around by hand so it can be wiped out on the next update.

Why does ANYONE touch my certficate files.

chattr +i <files>

Maybe leave a note in the directory about why and how to undo it.

Not in that directory, because it can be deleted. Somewhere else, and a symlink to the parent directory. So even if the symlink is deleted, you still have the notes. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 08:43 PM, Ruben Safir wrote:

On 02/19/2016 02:29 PM, Carlos E. R. wrote:

...

chattr +i <files>

not sure what that does :)

Manual page chattr(1) A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. which suggests it may not work.

FWIW, you can't symlink the keys. it doesn't work. It needs to be hard links

I didn't say to do that. Symlink the notes you write to remember what to do the next time this happens. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 09:24 PM, John Andersen wrote:

On 02/19/2016 11:47 AM, Carlos E. R. wrote:

To date, I've never encountered an upgrade or install that undid a chattr immutable setting.

Interesting :-) -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 02:26 PM, Carlos E. R. wrote:

On 02/19/2016 08:00 PM, Ruben Safir wrote:

...

On 02/19/2016 01:54 PM, Carlos E. R. wrote:

...

In the end I ended up shifting all the links and files around by hand so it can be wiped out on the next update.

Create a backup, easy to find.

yeah - I don't really feel like going through the tarball on this.

...

Why does ANYONE touch my certficate files.

Dunno. As I said, I have untouched files there since 2005. It looks weird to me deleting files automatically in /etc.

under /etc/ssl/certs/ ?

...

On BTW - it creates a pem file private key but the /etc/dovecot/conf.d/10-ssl.conf is looking for .key file... so something had to change.

The script creates the certificates as wanted by dovecot:

/etc/ssl/certs/dovecot.pem /etc/ssl/private/dovecot.pem

right but supposedly we want to mover /etc/ssl/certs/ to /usr whatever!! and run update whatever.

I do not edit any dovecot file. Instead, I create /etc/dovecot/local.conf with these two lines:

sl_cert =

I just linked the .pen to a .key

But all the above is 13.1. I don't remember what you are using.

it was upgraded to 13.2 -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 02:55 PM, Carlos E. R. wrote:

On 02/19/2016 08:37 PM, Ruben Safir wrote:

...

On 02/19/2016 02:26 PM, Carlos E. R. wrote:

...

...

Create a backup, easy to find.

yeah - I don't really feel like going through the tarball on this.

If you don't, all your clients should fail on next mail retrieve.

...

...

...

Why does ANYONE touch my certficate files.

Dunno. As I said, I have untouched files there since 2005. It looks weird to me deleting files automatically in /etc.

under /etc/ssl/certs/ ?

Gestor:~ # ls -lt /other/main/etc/ssl/certs/ | tail lrwxrwxrwx 1 root root 58 Feb 25 2014 Microsec_e-Szigno_Root_CA.pem -> /var/lib/ca-certificates/pem/Microsec_e-Szigno_Root_CA.pem lrwxrwxrwx 1 root root 63 Feb 25 2014 Microsec_e-Szigno_Root_CA_2009.pem -> /var/lib/ca-certificates/pem/Microsec_e-Szigno_Root_CA_2009.pem lrwxrwxrwx 1 root root 77 Feb 25 2014 NetLock_Arany__Class_Gold__F__tan__s__tv__ny.pem -> /var/lib/ca-certificates/pem/NetLock_Arany__Class_Gold__F__tan__s__tv__ny.pem lrwxrwxrwx 1 root root 62 Feb 25 2014 NetLock_Notary__Class_A__Root.pem -> /var/lib/ca-certificates/pem/NetLock_Notary__Class_A__Root.pem lrwxrwxrwx 1 root root 72 Feb 25 2014 Network_Solutions_Certificate_Authority.pem -> /var/lib/ca-certificates/pem/Network_Solutions_Certificate_Authority.pem lrwxrwxrwx 1 root root 49 Feb 25 2014 certSIGN_ROOT_CA.pem -> /var/lib/ca-certificates/pem/certSIGN_ROOT_CA.pem lrwxrwxrwx 1 root root 66 Feb 25 2014 ePKI_Root_Certification_Authority.pem -> /var/lib/ca-certificates/pem/ePKI_Root_Certification_Authority.pem lrwxrwxrwx 1 root root 26 Jan 31 2010 ipop3d.pem -> imapd-nimrodel.valinor.pem -rw-r--r-- 1 root root 1985 May 7 2008 imapd.pem -rw-r--r-- 1 root root 2136 Oct 7 2005 imapd-nimrodel.valinor.pem Gestor:~ #

...

...

The script creates the certificates as wanted by dovecot:

/etc/ssl/certs/dovecot.pem /etc/ssl/private/dovecot.pem

right but supposedly we want to mover /etc/ssl/certs/ to /usr whatever!!

and run update whatever.

I'm not doing that. I'll wait till the script is modified appropriately, upstream or here. Or till Marcus comments back.

those are all symlinks. I don't understand. i tried a symlink and it came up on the journal and permision denied to be opened Is this retarded? www:~ # ls -al /etc/ssl/certs lrwxrwxrwx 1 root root 28 Oct 12 16:23 /etc/ssl/certs -> /var/lib/ca-certificates/pem dr-xr-xr-x 2 root root 24576 Feb 19 13:53 . drwxr-xr-x 4 root root 4096 Feb 19 13:47 .. lrwxrwxrwx 1 root root 26 Feb 19 13:47 00673b5b.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 29 Feb 19 13:47 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem lrwxrwxrwx 1 root root 31 Feb 19 13:47 02b73561.0 -> Comodo_Secure_Services_root.pem lrwxrwxrwx 1 root root 25 Feb 19 13:47 034868d6.0 -> Swisscom_Root_EV_CA_2.pem lrwxrwxrwx 1 root root 50 Feb 19 13:47 039c618a.0 -> TURKTRUST_Certificate_Services_Provider_Root_2.pem lrwxrwxrwx 1 root root 16 Feb 19 13:47 03f2b8cf.0 -> WoSign_China.pem lrwxrwxrwx 1 root root 41 Feb 19 13:47 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem lrwxrwxrwx 1 root root 40 Feb 19 13:47 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem lrwxrwxrwx 1 root root 27 Feb 19 13:47 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem lrwxrwxrwx 1 root root 25 Feb 19 13:47 064e0aa9.0 -> QuoVadis_Root_CA_2_G3.pem lrwxrwxrwx 1 root root 20 Feb 19 13:47 080911ac.0 -> QuoVadis_Root_CA.pem lrwxrwxrwx 1 root root 34 Feb 19 13:47 0810ba98.0 -> Root_CA_Generalitat_Valenciana.pem lrwxrwxrwx 1 root root 49 Feb 19 13:47 08aef7bb.0 -> WellsSecure_Public_Root_Certificate_Authority.pem lrwxrwxrwx 1 root root 54 Feb 19 13:47 09789157.0 -> Starfield_Services_Root_Certificate_Authority_-_G2.pem lrwxrwxrwx 1 root root 55 Feb 19 13:47 0b759015.0 -> E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem lrwxrwxrwx 1 root root 34 Feb 19 13:47 0c4c9b6c.0 -> Global_Chambersign_Root_-_2008.pem lrwxrwxrwx 1 root root 55 Feb 19 13:47 0d188d89.0 -> E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem lrwxrwxrwx 1 root root 31 Feb 19 13:47 0d69c7e1.0 -> GlobalSign_ECC_Root_CA_-_R4.pem lrwxrwxrwx 1 root root 54 Feb 19 13:47 10531352.0 -> Starfield_Services_Root_Certificate_Authority_-_G2.pem lrwxrwxrwx 1 root root 27 Feb 19 13:47 111e6273.0 -> GlobalSign_Root_CA_-_R2.pem lrwxrwxrwx 1 root root 49 Feb 19 13:47 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem what is the point to all this referencing? -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

19.02.2016 20:51, Marcus Meissner пишет:

/etc/ssl/certs is cleared by update-ca-certificates.

If you want to place your own cert, put it to

/usr/share/pki/trust/

and run update-ca-certificates

This should create a symlink to your certificate in /etc/ssl/certs/

What script does it? On both 13.2 and TW I have 4 scripts in /usr/lib/ca-certificates/update.d, none of them ever mentions /usr/share/pki/trust. What packages should be installed to enable this? /usr/lib/ca-certificates/update.d/80etc_ssl.run will symlink to files in /var/lib/ca-certificates/pem as long as /etc/ssl/certs is not itself symlink to them. It also says that (custom?) CA certificates should be installed in /etc/pki/trust/anchors. But more importantly, I do not see this script deleting *files* in /etc/ssk/certs. It removes dangling symlinks or symlinks to previous default locations only ... Confused ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/20/2016 10:33 AM, Freek de Kruijf wrote:

The file to generate a self signed certificate for dovecot is: /usr/share/doc/packages/dovecot/mkcert.sh

First you have to adapt /usr/share/doc/packages/dovecot/dovecot-openssl.cnf to your liking.

Next you need to change the value of CERTDIR to $SSLDIR/private and CERTFILE to $CERTDIR/dovecot.crt in mkcert.sh

This means that both certfiles for dovecot go to $SSLDIR/private Previously one of these files ended in $SSLDIR/certs which gets overridden by an update. Obviously in /etc/dovecot/conf.d/10-ssl.conf you need to adapt ssl_key and ssl_cert to point to these two files.

I also change the lifetime of the certificate by specifying a larger number than the current 365 days in mkcert.sh.

Thanks. Should we report a bugzilla to have those defaults changed in dovecot package? -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2016-02-21 14:42, Freek de Kruijf wrote:

Op zaterdag 20 februari 2016 14:23:46 CET schreef Carlos E. R.:

...

Should we report a bugzilla to have those defaults changed in dovecot package?

Probably. I believe I reported it as a bug or suggestion. Not sure!

Done. Bugzilla – Bug 967545 Dovecot creates certificates in the wrong directory I reported against Leap, assuming that is what the OP used, but I suppose it applies to all releases. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/20/2016 04:33 AM, Freek de Kruijf wrote:

Next you need to change the value of CERTDIR to $SSLDIR/private and CERTFILE to $CERTDIR/dovecot.crt in mkcert.sh

this part could not be gleened, at least by me, in the documentation. Reuvain -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/20/2016 10:38 PM, Ruben Safir wrote:

On 02/20/2016 04:33 AM, Freek de Kruijf wrote:

...

This means that both certfiles for dovecot go to $SSLDIR/private

what two cert failes? One should be a private key and secured in a more private directory and the other is a PUBLIC key that should be universally readable. I'm obviously misunderstanding something.

The dovecot script generates and copies two certficicate, one private, one public. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Sat, Feb 20, 2016 at 09:25:26AM +0300, Andrei Borzenkov wrote:

19.02.2016 20:51, Marcus Meissner пишет:

...

/etc/ssl/certs is cleared by update-ca-certificates.

If you want to place your own cert, put it to

/usr/share/pki/trust/

and run update-ca-certificates

This should create a symlink to your certificate in /etc/ssl/certs/

What script does it? On both 13.2 and TW I have 4 scripts in /usr/lib/ca-certificates/update.d, none of them ever mentions /usr/share/pki/trust. What packages should be installed to enable this?

/usr/lib/ca-certificates/update.d/80etc_ssl.run will symlink to files in /var/lib/ca-certificates/pem as long as /etc/ssl/certs is not itself symlink to them. It also says that (custom?) CA certificates should be installed in /etc/pki/trust/anchors.

But more importantly, I do not see this script deleting *files* in /etc/ssk/certs. It removes dangling symlinks or symlinks to previous default locations only ...

Confused ...

I had the vague recollection that there was one, /usr/lib/ca-certificates/update.d/80etc_ssl.run but I think the bug was fixed that removed too much certificates. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org