New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add mail group to ssl files #1221

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
4 participants
@huloza
Contributor

huloza commented Jul 3, 2017

ssl files in user home dir are set to root:root, this causes the error when you try to use them with exim4 or dovecot:

unable to open private key file for reading: /home/USER/conf/...

for exim4 and dovecot you only need *.pem and *.key file. so im changing this file owners from root:root to root:mail.

if you manually change the permissions there will be set back again on next letsencrypt update, or custom ssl update.

Add mail group to ssl files
ssl files in user home dir are set to root:root, this causes the error when yo try to use them with exim4 or dovecot:

unable to open private key file for reading: /home/USER/conf/...

for exim4 and dovecot you only need *.pem and *.key file. so im changing this file owners from root:root to root:mail.
@dpeca

This comment has been minimized.

Show comment
Hide comment
@dpeca

dpeca Jul 4, 2017

Collaborator

hm hm hmmmmmm...
can you tell me why and when Exim and Dovecot reads WEB SSL ?
I'm pretty sure they don't read it at all.

Error that you quoted is related to DKIM key - and I fixed it here - 7815539 - and here - 419a9b0

Collaborator

dpeca commented Jul 4, 2017

hm hm hmmmmmm...
can you tell me why and when Exim and Dovecot reads WEB SSL ?
I'm pretty sure they don't read it at all.

Error that you quoted is related to DKIM key - and I fixed it here - 7815539 - and here - 419a9b0

@huloza

This comment has been minimized.

Show comment
Hide comment
@huloza

huloza Jul 5, 2017

Contributor

can you tell me why and when Exim and Dovecot reads WEB SSL ? I'm pretty sure they don't read it at all.

yeah you are right, they dont read out of the box, but a lot of users including me uses the Generated LetsEncrypt Certificates for EXIM, DOVECOT and VESTA. this change doesnt broke anything but avoid a huge problem when letsnecrypt renew certs every certain time, because if cert is unreadable exim and dovecot stop working.

Again this change does not broke anything im using it in 4 production servers, avoiding this way the use of a daily cron check for set this permissions.

This is not related to the DKIM key error.

Regards!

Contributor

huloza commented Jul 5, 2017

can you tell me why and when Exim and Dovecot reads WEB SSL ? I'm pretty sure they don't read it at all.

yeah you are right, they dont read out of the box, but a lot of users including me uses the Generated LetsEncrypt Certificates for EXIM, DOVECOT and VESTA. this change doesnt broke anything but avoid a huge problem when letsnecrypt renew certs every certain time, because if cert is unreadable exim and dovecot stop working.

Again this change does not broke anything im using it in 4 production servers, avoiding this way the use of a daily cron check for set this permissions.

This is not related to the DKIM key error.

Regards!

@dpeca

This comment has been minimized.

Show comment
Hide comment
@dpeca

dpeca Jul 5, 2017

Collaborator

OK, I see now, you modified Exim and dovecot conf files to use LE certs.
OK.
@serghey-rodin will check this PR.

Collaborator

dpeca commented Jul 5, 2017

OK, I see now, you modified Exim and dovecot conf files to use LE certs.
OK.
@serghey-rodin will check this PR.

@SCelik

This comment has been minimized.

Show comment
Hide comment
@SCelik

SCelik Jul 5, 2017

Contributor

Doesn't your commit changes root:root to root:user? Can you check please? It should be root:mail i think.

Contributor

SCelik commented Jul 5, 2017

Doesn't your commit changes root:root to root:user? Can you check please? It should be root:mail i think.

group mistake
mail instead of $user. my mistake.
@huloza

This comment has been minimized.

Show comment
Hide comment
@huloza

huloza Jul 5, 2017

Contributor

@SCelik yo are right, Thanks for letting me notice.
Regards.

Contributor

huloza commented Jul 5, 2017

@SCelik yo are right, Thanks for letting me notice.
Regards.

@anton-reutov anton-reutov requested a review from serghey-rodin Sep 11, 2017

@serghey-rodin

This comment has been minimized.

Show comment
Hide comment
@serghey-rodin

serghey-rodin Dec 28, 2017

Owner

We are going to fix it a by providing a tool to link Exim/Dovecot/Vesta SSL certs with LE for one of the existing domain. It will be a bit more complex approach since every LE update require service restart.
Thanks @huloza

Owner

serghey-rodin commented Dec 28, 2017

We are going to fix it a by providing a tool to link Exim/Dovecot/Vesta SSL certs with LE for one of the existing domain. It will be a bit more complex approach since every LE update require service restart.
Thanks @huloza

@huloza

This comment has been minimized.

Show comment
Hide comment
@huloza

huloza Jan 20, 2018

Contributor

he, @serghey-rodin im using that two files with root:mail permissions in 5 production servers(Debian based), and everything is OK, so i think just changing the permissions after the certificate generations is a quick solution for this.

Because every time letsencrypt renew the certificates exim4 gets broken. and you cannot send mail. ( if you configure exim4 to use the certificates of course).

Contributor

huloza commented Jan 20, 2018

he, @serghey-rodin im using that two files with root:mail permissions in 5 production servers(Debian based), and everything is OK, so i think just changing the permissions after the certificate generations is a quick solution for this.

Because every time letsencrypt renew the certificates exim4 gets broken. and you cannot send mail. ( if you configure exim4 to use the certificates of course).

@dpeca

This comment has been minimized.

Show comment
Hide comment
@dpeca

dpeca Jan 20, 2018

Collaborator

This is related to #1317
I accepted that script but I didn't connect v-add-web-domain-ssl to it - I will ask @serghey-rodin for advice and permission for it - because maybe he want some other solution.

Collaborator

dpeca commented Jan 20, 2018

This is related to #1317
I accepted that script but I didn't connect v-add-web-domain-ssl to it - I will ask @serghey-rodin for advice and permission for it - because maybe he want some other solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment