Re: [exim] setting up purchased SSL certificates on existing…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Gary Stainburn, Viktor Dukhovni
CC: exim-users
Subject: Re: [exim] setting up purchased SSL certificates on existing system
On 2018-04-30 at 14:58 +0100, Gary Stainburn via Exim-users wrote:
> I have now purchased (through 123-reg) a SSL certificate and I am trying to
> install it on the server.


Which method did you use to buy the cert, and are you a "shared hosting
package" customer?

> My problem is that from my SSL certificate purchase I have an "Intermediate
> Certificate" and a 'SSL Certificate'. The second of which is apparently
> formatted for web software including Apache. I did not receive any key files.


Did you start from
<https://www.123-reg.co.uk/support/ssl-certificates/how-can-i-add-an-ssl-certificate-to-my-domain-website/>
?

Did you generate a CSR? From a key?

If you have a key, which _you_ made, then you're good. If you did not
make the key, but relied upon them to make one, then .. you'll need to
figure out where they put it.

If you used the `-des3` option, then the private key is encrypted.
You'll need to remove that encryption for Exim. You can look at the
keyfile, it will be in PEM format (I hope!) and so start with
"-----BEGIN yada yada" and around about there, it should tell you if
it's encrypted. If it is, then to decrypt, assuming "roughly normal"
setup:

(umask 077; openssl rsa -in encrypted.key -out unprotected.key; )

That will prompt for the passphrase, then write the key out unprotected
by encryption. See below in my reply to Viktor for notes on correct
permissions.

Various other people have given good feedback on how to combine the
certificate with the bundle (append the bundle to the certificate) to
make a complete certificate chain for use.

Once you have those, the process should be roughly the same for both
Exim and Dovecot, just pointing config options at the key/cert.


On 2018-04-30 at 11:13 -0400, Viktor Dukhovni via Exim-users wrote:
> Don't forget a prior "umask 077" to make sure that the key file is NOT
> world-readable.


Be careful. Exim opens the files as the Exim run-time user, *NOT* as
root! The tls_* options can depend upon TLS SNI from the client, so are
capable of arbitrary string expansion. The actual path isn't known
until that point. Exim will have dropped privileges from root to the
run-time user long before this point.

So while the certificate can be permission 0644 just fine, the _key_
should probably be permission 0640 owner root, group Exim runtime user's
primary group. Eg, `root:exim`.

-Phil