letsencrypt now generates certificates that include the chain

diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf
index bb807463db16fb510516f38a22d29ba4787b69ed..fd99e1f99e827983e861ae473377b6993cd2f182 100644 (file)
--- a/roles/apache/templates/ssl.conf
+++ b/roles/apache/templates/ssl.conf
@@ -33,8 +33,11 @@
     SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL'
     SSLHonorCipherOrder     on
 
     SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL'
     SSLHonorCipherOrder     on
 

-    #   Certificate, DH parameters and key
-    SSLCertificateFile    /etc/ssl/mycerts/$cert.crt+dh
+    # DH parameters
+    SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh2048.pem"
+
+    #   Certificate and key
+    SSLCertificateFile    /etc/ssl/mycerts/$cert.crt

     SSLCertificateKeyFile /etc/ssl/private/$cert.key
 
     #   Server Certificate Chain:
     SSLCertificateKeyFile /etc/ssl/private/$cert.key
 
     #   Server Certificate Chain:


@@ -44,7 +47,7 @@
     #   the referenced file can be the same as SSLCertificateFile
     #   when the CA certificates are directly appended to the server
     #   certificate for convinience.
     #   the referenced file can be the same as SSLCertificateFile
     #   when the CA certificates are directly appended to the server
     #   certificate for convinience.

-    SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain
+    SSLCertificateChainFile /etc/ssl/mycerts/$cert.crt

 
     #   Certificate Authority (CA):
     #   Set the CA certificate verification path where to find CA
 
     #   Certificate Authority (CA):
     #   Set the CA certificate verification path where to find CA

diff --git a/roles/email/templates/dovecot/conf.d/10-ssl.conf b/roles/email/templates/dovecot/conf.d/10-ssl.conf
index 70df7c5132e7e6ac79a894d71ed41ae14ea4c59c..ae6d35400b22b89d3a0e1457cfeddca45cb30d36 100644 (file)
--- a/roles/email/templates/dovecot/conf.d/10-ssl.conf
+++ b/roles/email/templates/dovecot/conf.d/10-ssl.conf
@@ -9,7 +9,7 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf

-ssl_cert = </etc/ssl/mycerts/letsencrypt/live.crt+chain
+ssl_cert = </etc/ssl/mycerts/letsencrypt/live.crt

 ssl_key = </etc/ssl/private/letsencrypt/live.key
 
 # If key file is password protected, give the password here. Alternatively
 ssl_key = </etc/ssl/private/letsencrypt/live.key
 
 # If key file is password protected, give the password here. Alternatively

diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf
index 01c2185a57aec07d1dac12c152cd163cb2266abc..7a735c2cc74010a597800dc0aa6c055b14131af9 100644 (file)
--- a/roles/email/templates/main.cf
+++ b/roles/email/templates/main.cf
@@ -13,7 +13,7 @@ local_recipient_maps = $alias_maps
 
 {% if 'letsencrypt' in group_names %}
 # TLS server parameters
 
 {% if 'letsencrypt' in group_names %}
 # TLS server parameters

-smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain
+smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt

 smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_security_level = may
 smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_security_level = may

diff --git a/roles/prosody/templates/prosody.cfg.lua b/roles/prosody/templates/prosody.cfg.lua
index d92d82e2000caa491aee760ec77de7c254841b48..238ca7538e4bcec0bcda7bc6ebb814749a5e3a61 100644 (file)
--- a/roles/prosody/templates/prosody.cfg.lua
+++ b/roles/prosody/templates/prosody.cfg.lua
@@ -117,7 +117,7 @@ pidfile = "/var/run/prosody/prosody.pid"
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
        key = "/etc/ssl/private/letsencrypt/live.key";
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
        key = "/etc/ssl/private/letsencrypt/live.key";

-       certificate = "/etc/ssl/mycerts/letsencrypt/live.crt+chain";
+       certificate = "/etc/ssl/mycerts/letsencrypt/live.crt";

        ciphers = "ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:!3DES";
        dhparam = "/etc/ssl/dh2048.pem";
 }
        ciphers = "ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:!3DES";
        dhparam = "/etc/ssl/dh2048.pem";
 }