Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SSL certificate #43

Open
jloms opened this issue Jan 21, 2024 · 3 comments
Open

Update SSL certificate #43

jloms opened this issue Jan 21, 2024 · 3 comments

Comments

@jloms
Copy link

jloms commented Jan 21, 2024

Default certificatein the database is too weak. Changing the certificate is needed for starting apache2.
@JohnMertz
Copy link
Collaborator

Noted. Thanks!

I have a script which automatically updates the certificate to my valid Let's Encrypt certificate which I run immediately on all of my test machines, so I had not encountered this problem.

I'll generate a new, stronger, default certificate. In the meantime, here is the script that I use, if you'd like to apply your own certificate/key without web access:

#!/bin/bash

usage() {
	echo "Usage: $0 public_chain private_key [-R]"
	echo "	-R  Don't restart services"
	exit;
}

SRCDIR=`grep 'SRCDIR' /etc/mailcleaner.conf | cut -d ' ' -f3`

RESTART=1
if [ ! $1 ] || [ ! $2 ]; then
	echo "Missing argument"
	usage
elif [[ ! -r $1 ]]; then
	echo "Cannot read $1"
	usage
elif [[ ! -r $2 ]]; then
	echo "Cannot read $2"
	usage
fi
if [ $3 ]; then
	if [[ $3 -eq '-R' ]]; then
		echo "Not restarting"
		RESTART=0
	else
		echo "Invaild option '$3'"
		usage
	fi
fi

CERT=`cat $1 | grep -m 1 -B 1000 'END CERTIFICATE'`
COUNT=`cat $1 | grep -c 'END CERTIFICATE'`
let "COUNT--"

if [ $COUNT ]; then
	CHAIN=`tac $1 | grep -m $COUNT -B 1000 'BEGIN CERTIFICATE' | tac`
else
	CHAIN=''
fi

cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE mta_config set tls_certificate_data = '`cat $1`';
EOF

cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE mta_config set tls_certificate_key = '`cat $2`';
EOF

if [[ $RESTART == 1 ]]; then
	for i in 4 2 1; do ${SRCDIR}/etc/init.d/exim_stage$i restart; done
fi

cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE httpd_config set tls_certificate_data = '`echo -e "$CERT"`';
EOF

cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE httpd_config set tls_certificate_chain = '`echo -e "$CHAIN"`';
EOF

cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE httpd_config set tls_certificate_key = '`cat $2`';
EOF

if [[ $RESTART == 1 ]]; then
	${SRCDIR}/etc/init.d/apache restart
fi

@JohnMertz
Copy link
Collaborator

The default certificate is updated. However, for the final release, I would like to have a unique self-signed certificate generated during the install.pl script. GitHub has a bot which is nagging me that we have an exposed private key and since some users will never update the certificate, this is justifiable.

@JohnMertz JohnMertz changed the title apache2 not starting Update SSL certificate Jan 22, 2024
@JohnMertz
Copy link
Collaborator

Note: Major mail providers such as Office 365 have become more strict recently regarding TLS connections. It is now better to have no TLS than to have a self-signed certificate. So, we can generate the self-signed certificate to be used by default, but we must ensure that TLS is not enabled by default and that there are warnings in documentation or the interface to get a proper certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JohnMertz @jloms