[Kolab-devel] kolab3/debian wheezy: Questions regarding ssl setup

Mon Jan 28 06:23:58 CET 2013

On Monday, January 28, 2013 04:57:13 Thomas Spuhler wrote:
> On Wednesday, December 19, 2012 06:00:54 AM Johannes Graumann wrote:
> > Paul Klos <kolab <at> klos2day.nl> writes:
> > > Op Wed, 05 Dec 2012 11:27 +0300
> > > 
> > > Johannes Graumann <johannes_graumann <at> web.de> schreef:
> > > > Hello,
> > > > 
> > > > When configuring a fresh kolab3 install on wheezy,
> > > > I need to issue an explicit "a2enmod ssl &&
> > > > a2ensite default-ssl" to get kolab-webadmin to work.
> > > 
> > > I haven't tried this yet, and it's certainly
> > > something that should work, but AFAIK there is no
> > > explicit need to have ssl working to get into the
> > > kolab-webadmin.
> > 
> > The requirement might be deriving from my lxc and nginx routing setup.
> > 
> > > > In this context I am unclear on where the debian
> > > > setup requires ssl key and certificate.
> > > > 
> > > > http://tinyurl.com/c98ojg5 says here:
> > > > > Certificate: /etc/pki/tls/certs/host.example.org.cert
> > > > > Private
> > > > > Key: /etc/pki/tls/private/host.example.org.key
> > > > 
> > > > but that directory is inexistent in debian.
> > > 
> > > Certificate paths are different on Debian and Red Hat
> > > flavoured distributions. We've run into this before
> > > with cyrus and postfix. Most probably setup-kolab
> > > will have to be patched for Debian to take care of
> > > this. For now, either symlinking or changing the
> > > configuration to look in /etc/ssl/private should
> > > work (as well as straight http, as per my previous
> > > remark).
> > 
> > Do you think the patch appended should/could be pushed into the
> > repository? I went hunting for *.pem etc. in my existing trial
> > installation and came up with
> > the instances the patch attempts to modify towards debianish
> > infrastructure.
> > 
> > Cheers, Joh
> > 
> > diff --git a/pykolab/setup/setup_imap.py b/pykolab/setup/setup_imap.py
> > index c5c400e..4b7564f 100644
> > --- a/pykolab/setup/setup_imap.py
> > +++ b/pykolab/setup/setup_imap.py
> > 
> > @@ -65,14 +65,6 @@ def execute(*args, **kw):
> >              "admins": conf.get('cyrus-imap', 'admin_login'),
> >              "postuser": "shared",
> >          
> >          }
> > 
> > -
> > -    if os.path.isfile('/usr/sbin/make-ssl-cert') and not
> > os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> > -        subprocess.call(['/usr/sbin/make-ssl-cert generate-default-
> > snakeoil'])
> > -
> > -    if os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> > -        imapd_settings['tls_cert_file'] = "/etc/ssl/certs/ssl-cert-
> > snakeoil.pem"
> > -        imapd_settings['tls_ca_file'] =
> > "/etc/ssl/certs/ssl-cert-snakeoil.pem" -
> > imapd_settings['tls_key_file'] = "/etc/ssl/private/ssl-cert-
> > snakeoil.key"
> > 
> >      template_file = None
> > 
> > diff --git a/pykolab/setup/setup_mta.py b/pykolab/setup/setup_mta.py
> > index 40e6555..c02b024 100644
> > --- a/pykolab/setup/setup_mta.py
> > +++ b/pykolab/setup/setup_mta.py
> > @@ -212,15 +212,10 @@ result_attribute = mail
> > 
> >      if os.path.isfile('/etc/pki/tls/certs/make-dummy-cert') and not
> > 
> > os.path.isfile('/etc/pki/tls/private/localhost.pem'):
> >          subprocess.call(['/etc/pki/tls/certs/make-dummy-cert',
> > 
> > '/etc/pki/tls/private/localhost.pem'])
> > -    elif os.path.isfile('/usr/sbin/make-ssl-cert') and not
> > os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> > -        subprocess.call(['/usr/sbin/make-ssl-cert generate-default-
> > snakeoil'])
> > 
> >      if os.path.isfile('/etc/pki/tls/private/localhost.pem'):
> >          postfix_main_settings['smtpd_tls_cert_file'] =
> > 
> > "/etc/pki/tls/private/localhost.pem"
> > 
> >          postfix_main_settings['smtpd_tls_key_file'] =
> > 
> > "/etc/pki/tls/private/localhost.pem"
> > -    elif os.path.isfile('/etc/ssl/private/ssl-cert-snakeoil.key'):
> > -        postfix_main_settings['smtpd_tls_cert_file'] =
> > "/etc/ssl/certs/ssl-cert-snakeoil.pem"
> > -        postfix_main_settings['smtpd_tls_key_file'] =
> > "/etc/ssl/private/ssl-cert-snakeoil.key"
> > 
> >      if not os.path.isfile('/etc/postfix/main.cf'):
> >          if os.path.isfile('/usr/share/postfix/main.cf.debian'):
> An news on this?
No. I do not think Paul had time to check it out yet.

Was wondering the same yesterday, as my trial setup now has issues sending and 
I think I tracked it down to postfix lacking a certificate  ...

Joh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/devel/attachments/20130128/8c9de540/attachment.sig>