[Kolab-devel] kolab3/debian wheezy: Questions regarding ssl setup
Johannes Graumann
johannes_graumann at web.de
Thu Dec 20 07:02:05 CET 2012
Johannes Graumann wrote:
> Paul Klos <kolab <at> klos2day.nl> writes:
>
>>
>> Op Wed, 05 Dec 2012 11:27 +0300
>> Johannes Graumann <johannes_graumann <at> web.de> schreef:
>>
>> > Hello,
>> >
>> > When configuring a fresh kolab3 install on wheezy,
>> > I need to issue an explicit "a2enmod ssl &&
>> > a2ensite default-ssl" to get kolab-webadmin to work.
>> >
>> I haven't tried this yet, and it's certainly
>> something that should work, but AFAIK there is no
>> explicit need to have ssl working to get into the
>> kolab-webadmin.
> The requirement might be deriving from my lxc and nginx routing setup.
>
>> > In this context I am unclear on where the debian
>> > setup requires ssl key and certificate.
>> > http://tinyurl.com/c98ojg5 says here:
>> > > Certificate: /etc/pki/tls/certs/host.example.org.cert
>> > > Private
>> > > Key: /etc/pki/tls/private/host.example.org.key
>> > but that directory is inexistent in debian.
>> >
>> Certificate paths are different on Debian and Red Hat
>> flavoured distributions. We've run into this before
>> with cyrus and postfix. Most probably setup-kolab
>> will have to be patched for Debian to take care of
>> this. For now, either symlinking or changing the
>> configuration to look in /etc/ssl/private should
>> work (as well as straight http, as per my previous
>> remark).
> Do you think the patch appended should/could be pushed into the
> repository? I went hunting for *.pem etc. in my existing trial
> installation and came up with
> the instances the patch attempts to modify towards debianish
> infrastructure.
>
> Cheers, Joh
>
> diff --git a/pykolab/setup/setup_imap.py b/pykolab/setup/setup_imap.py
> index c5c400e..4b7564f 100644
> --- a/pykolab/setup/setup_imap.py
> +++ b/pykolab/setup/setup_imap.py
> @@ -65,14 +65,6 @@ def execute(*args, **kw):
> "admins": conf.get('cyrus-imap', 'admin_login'),
> "postuser": "shared",
> }
> -
> - if os.path.isfile('/usr/sbin/make-ssl-cert') and not
> os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> - subprocess.call(['/usr/sbin/make-ssl-cert generate-default-
> snakeoil'])
> -
> - if os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> - imapd_settings['tls_cert_file'] = "/etc/ssl/certs/ssl-cert-
> snakeoil.pem"
> - imapd_settings['tls_ca_file'] =
> "/etc/ssl/certs/ssl-cert-snakeoil.pem"
> - imapd_settings['tls_key_file'] = "/etc/ssl/private/ssl-cert-
> snakeoil.key"
>
> template_file = None
>
> diff --git a/pykolab/setup/setup_mta.py b/pykolab/setup/setup_mta.py
> index 40e6555..c02b024 100644
> --- a/pykolab/setup/setup_mta.py
> +++ b/pykolab/setup/setup_mta.py
> @@ -212,15 +212,10 @@ result_attribute = mail
>
> if os.path.isfile('/etc/pki/tls/certs/make-dummy-cert') and not
> os.path.isfile('/etc/pki/tls/private/localhost.pem'):
> subprocess.call(['/etc/pki/tls/certs/make-dummy-cert',
> '/etc/pki/tls/private/localhost.pem'])
> - elif os.path.isfile('/usr/sbin/make-ssl-cert') and not
> os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> - subprocess.call(['/usr/sbin/make-ssl-cert generate-default-
> snakeoil'])
>
> if os.path.isfile('/etc/pki/tls/private/localhost.pem'):
> postfix_main_settings['smtpd_tls_cert_file'] =
> "/etc/pki/tls/private/localhost.pem"
> postfix_main_settings['smtpd_tls_key_file'] =
> "/etc/pki/tls/private/localhost.pem"
> - elif os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> - postfix_main_settings['smtpd_tls_cert_file'] =
> "/etc/ssl/certs/ssl-cert-snakeoil.pem"
> - postfix_main_settings['smtpd_tls_key_file'] =
> "/etc/ssl/private/ssl-cert-snakeoil.key"
>
> if not os.path.isfile('/etc/postfix/main.cf'):
> if os.path.isfile('/usr/share/postfix/main.cf.debian'):
Grrr. the patch is obviously in the wrong diff-direction, but I hope you get
the gist ...
Joh
More information about the devel
mailing list