[BlueOnyx:23977] Re: 5210R: Postfix SNI support - status update
mstauber at blueonyx.it
Thu Jun 11 23:15:03 -05 2020
> the required certificate seems to get created if you go to the vsite and
> renew the Letsencrypt certificate. But it wasn't there previously.
> THe nginx_cert_ca_combined certificate must be something you have added more
> If I search the server for nginx_cert_ca_combined no sites have one.
> So I am going through each site that runs Letsencrypt and renewing the
> certificate to create the locate nginx_cert_ca_combined
This was actually added way back when 5209R got "Nginx as SSL-Proxy"
functionality. 5210R had that from the start.
Apache has three parameters for SSL certificates:
- One for the key
- One for the cert
- One for the CA Certs
Nginx and Postfix only have two parameters:
- One for the key
- One for the cert and whatever CA's that are required
Our SSL management still created the three files separately. I extended
that to also create a new file called "nginx_cert_ca_combined", which
holds the Cert and the CA's. When Nginx is enabled, it'll use the same
"key"-file that Apache uses and also the "nginx_cert_ca_combined".
Postfix in the same way uses the "key" from the cert directory and the
"nginx_cert_ca_combined" as well.
Generally every cert request or LE renewal will create all four files in
one go. You perhaps didn't have them yet, because you Easy-Migrated
Vsites over to 5210R from either a 5207R/5208R, or from a 5209R that
didn't have the Nginx related YUM updates installed after before any of
these Cert files were generated first time around.
That's actually I scenario I didn't think of, so it's good to know. I'll
publish a small update so that this mechanism doesn't try to reference
nginx_cert_ca_combined files that aren't present in first place.
With best regards
More information about the Blueonyx