[BlueOnyx:23977] Re: 5210R: Postfix SNI support - status update

Michael Stauber mstauber at blueonyx.it
Thu Jun 11 23:15:03 -05 2020


Hi Ernie,

> the required certificate seems to get created if you go to the vsite and
> renew the Letsencrypt certificate. But it wasn't there previously.
> 
> THe nginx_cert_ca_combined certificate must be something you have added more
> recently.
> 
> If I search the server for nginx_cert_ca_combined no sites have one.
> So I am going through each site that runs Letsencrypt and renewing the
> certificate to create the locate nginx_cert_ca_combined

This was actually added way back when 5209R got "Nginx as SSL-Proxy"
functionality. 5210R had that from the start.

Apache has three parameters for SSL certificates:

- One for the key
- One for the cert
- One for the CA Certs

Nginx and Postfix only have two parameters:

- One for the key
- One for the cert and whatever CA's that are required

Our SSL management still created the three files separately. I extended
that to also create a new file called "nginx_cert_ca_combined", which
holds the Cert and the CA's. When Nginx is enabled, it'll use the same
"key"-file that Apache uses and also the "nginx_cert_ca_combined".

Postfix in the same way uses the "key" from the cert directory and the
"nginx_cert_ca_combined" as well.

Generally every cert request or LE renewal will create all four files in
one go. You perhaps didn't have them yet, because you Easy-Migrated
Vsites over to 5210R from either a 5207R/5208R, or from a 5209R that
didn't have the Nginx related YUM updates installed after before any of
these Cert files were generated first time around.

That's actually I scenario I didn't think of, so it's good to know. I'll
publish a small update so that this mechanism doesn't try to reference
nginx_cert_ca_combined files that aren't present in first place.

-- 
With best regards

Michael Stauber


More information about the Blueonyx mailing list