[Kolab-devel] kolab3/debian wheezy: Questions regarding ssl setup

Tue Jan 8 19:04:39 CET 2013

Paul Klos <kolab <at> klos2day.nl> writes:

> 
> Op Wed, 05 Dec 2012 11:27 +0300
> Johannes Graumann <johannes_graumann <at> web.de> schreef:
> 
> > Hello,
> > 
> > When configuring a fresh kolab3 install on wheezy,
> > I need to issue an explicit "a2enmod ssl &&
> > a2ensite default-ssl" to get kolab-webadmin to work.
> > 
> I haven't tried this yet, and it's certainly
> something that should work, but AFAIK there is no
> explicit need to have ssl working to get into the
> kolab-webadmin.
The requirement might be deriving from my lxc and nginx routing setup.

> > In this context I am unclear on where the debian
> > setup requires ssl key and certificate. 
> > http://tinyurl.com/c98ojg5 says here:
> > > Certificate: /etc/pki/tls/certs/host.example.org.cert
> > > Private
> > > Key: /etc/pki/tls/private/host.example.org.key
> > but that directory is inexistent in debian.
> > 
> Certificate paths are different on Debian and Red Hat
> flavoured distributions. We've run into this before
> with cyrus and postfix. Most probably setup-kolab
> will have to be patched for Debian to take care of
> this. For now, either symlinking or changing the
> configuration to look in /etc/ssl/private should
> work (as well as straight http, as per my previous
> remark).
Do you think the patch appended should/could be pushed into the repository?
I went hunting for *.pem etc. in my existing trial installation and came up 
with the instances the patch attempts to modify towards debianish 
infrastructure.

Cheers, Joh

diff --git a/pykolab/setup/setup_imap.py b/pykolab/setup/setup_imap.py
index c5c400e..4b7564f 100644
--- a/pykolab/setup/setup_imap.py
+++ b/pykolab/setup/setup_imap.py
@@ -65,14 +65,6 @@ def execute(*args, **kw):
             "admins": conf.get('cyrus-imap', 'admin_login'),
             "postuser": "shared",
         }
-        
-    if os.path.isfile('/usr/sbin/make-ssl-cert') and not
os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
-        subprocess.call(['/usr/sbin/make-ssl-cert generate-default-
snakeoil'])
-
-    if os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
-        imapd_settings['tls_cert_file'] = "/etc/ssl/certs/ssl-cert-
snakeoil.pem"
-        imapd_settings['tls_ca_file'] = "/etc/ssl/certs/ssl-cert-
snakeoil.pem"
-        imapd_settings['tls_key_file'] = "/etc/ssl/private/ssl-cert-
snakeoil.key"
 
     template_file = None
 
diff --git a/pykolab/setup/setup_mta.py b/pykolab/setup/setup_mta.py
index 40e6555..c02b024 100644
--- a/pykolab/setup/setup_mta.py
+++ b/pykolab/setup/setup_mta.py
@@ -212,15 +212,10 @@ result_attribute = mail
 
     if os.path.isfile('/etc/pki/tls/certs/make-dummy-cert') and not
os.path.isfile('/etc/pki/tls/private/localhost.pem'):
         subprocess.call(['/etc/pki/tls/certs/make-dummy-cert',
'/etc/pki/tls/private/localhost.pem'])
-    elif os.path.isfile('/usr/sbin/make-ssl-cert') and not
os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
-        subprocess.call(['/usr/sbin/make-ssl-cert generate-default-
snakeoil'])
 
     if os.path.isfile('/etc/pki/tls/private/localhost.pem'):
         postfix_main_settings['smtpd_tls_cert_file'] =
"/etc/pki/tls/private/localhost.pem"
         postfix_main_settings['smtpd_tls_key_file'] =
"/etc/pki/tls/private/localhost.pem"
-    elif os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
-        postfix_main_settings['smtpd_tls_cert_file'] =
"/etc/ssl/certs/ssl-cert-snakeoil.pem"
-        postfix_main_settings['smtpd_tls_key_file'] =
"/etc/ssl/private/ssl-cert-snakeoil.key"
 
     if not os.path.isfile('/etc/postfix/main.cf'):
         if os.path.isfile('/usr/share/postfix/main.cf.debian'):


