From: Ralf Jung Date: Wed, 30 Sep 2020 17:42:50 +0000 (+0200) Subject: letsencrypt now generates certificates that include the chain X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/d110535ffae3ecde454db40f4914c9afe564adfc?ds=inline;hp=5af0a46df87eca049db8dd6a19392b651515564e letsencrypt now generates certificates that include the chain --- diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf index bb80746..fd99e1f 100644 --- a/roles/apache/templates/ssl.conf +++ b/roles/apache/templates/ssl.conf @@ -33,8 +33,11 @@ SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL' SSLHonorCipherOrder on - # Certificate, DH parameters and key - SSLCertificateFile /etc/ssl/mycerts/$cert.crt+dh + # DH parameters + SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh2048.pem" + + # Certificate and key + SSLCertificateFile /etc/ssl/mycerts/$cert.crt SSLCertificateKeyFile /etc/ssl/private/$cert.key # Server Certificate Chain: @@ -44,7 +47,7 @@ # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. - SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain + SSLCertificateChainFile /etc/ssl/mycerts/$cert.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA diff --git a/roles/email/templates/dovecot/conf.d/10-ssl.conf b/roles/email/templates/dovecot/conf.d/10-ssl.conf index 70df7c5..ae6d354 100644 --- a/roles/email/templates/dovecot/conf.d/10-ssl.conf +++ b/roles/email/templates/dovecot/conf.d/10-ssl.conf @@ -9,7 +9,7 @@ ssl = required # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert =