From d110535ffae3ecde454db40f4914c9afe564adfc Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 30 Sep 2020 19:42:50 +0200 Subject: [PATCH] letsencrypt now generates certificates that include the chain --- roles/apache/templates/ssl.conf | 9 ++++++--- roles/email/templates/dovecot/conf.d/10-ssl.conf | 2 +- roles/email/templates/main.cf | 2 +- roles/prosody/templates/prosody.cfg.lua | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/apache/templates/ssl.conf b/roles/apache/templates/ssl.conf index bb80746..fd99e1f 100644 --- a/roles/apache/templates/ssl.conf +++ b/roles/apache/templates/ssl.conf @@ -33,8 +33,11 @@ SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL' SSLHonorCipherOrder on - # Certificate, DH parameters and key - SSLCertificateFile /etc/ssl/mycerts/$cert.crt+dh + # DH parameters + SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh2048.pem" + + # Certificate and key + SSLCertificateFile /etc/ssl/mycerts/$cert.crt SSLCertificateKeyFile /etc/ssl/private/$cert.key # Server Certificate Chain: @@ -44,7 +47,7 @@ # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. - SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain + SSLCertificateChainFile /etc/ssl/mycerts/$cert.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA diff --git a/roles/email/templates/dovecot/conf.d/10-ssl.conf b/roles/email/templates/dovecot/conf.d/10-ssl.conf index 70df7c5..ae6d354 100644 --- a/roles/email/templates/dovecot/conf.d/10-ssl.conf +++ b/roles/email/templates/dovecot/conf.d/10-ssl.conf @@ -9,7 +9,7 @@ ssl = required # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert =