|
Notes |
|
|
(0006581)
|
|
NickH
|
|
2017-09-24 01:54
|
|
Perhaps with the obsoleting of SSLCertificateChainFile in Apache 2.4.8 (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html [^]) this bug may need to be changed such that when an intermediate certificate is imported, it should be concatenated with the certificate file and then drop the SSLCertificateChainFile parameter from flex-443.conf.
I don't know how the other certificate using programs (postfix, zarafa and so on) work with a single "fullchain" file. I know cyrus-imap works as this is how it generates its own self-signed certificate. |
|
|
|
(0006591)
|
|
user2
|
|
2017-09-24 12:49
|
|
The consuming-side of the API call (e.g. Postfix) should be able to request whatever it needs:
- Key file
- Certificate file
- Intermediate
- Certificate + Intermediate
The flip side: if someone imports a "Certificate", and it's really a "Certificate + Intermediate", the Certificate Manager should detect this use case and handle it appropriately. That will keep everything nice and clean. |
|
|
|
(0006661)
|
|
NickH
|
|
2017-10-16 12:15
|
|
My comment re cyrus-imap is a bit wrong but the principle is the same. cyrus-imap uses a combined certificate and key file.
Please can we add to the bug that the certificate/chain/key are tested for validity between themselves and the CA before being accepted by the webconfig. A user had something invalid here: https://www.clearos.com/clearfoundation/social/community/lost-connection-with-webconfigurator#reply-191731 [^] and it brought the webconfig down when he applied the certificate. I can open another bug if necessary but I don't know the details. |
|
|
|
(0006671)
|
|
user2
|
|
2017-10-16 15:35
|
|
|
|
|
(0014241)
|
|
NickH
|
|
2020-05-04 05:12
|
|
|