GAAAAAAAAHHHH I HATE SSL
Well, I mean, I cannot live without ssl. Well I mean, I cannot live without encryption. And SSL is the de-facto standard encryption on the internet.
Since I moved to a new server because the old ones uptime rarely gets beyond 24 hours these days, i had to reconfigure some services. Apache was easy, copy the config, everybody's happy.
Mail wasn't that easy, I wanted to have virtual domains. So I had to bake myself a new little setup from ground up. postfix + courier-imap was working before, so I decided to base it on that.
But when I was testing connectivity I noticed SSL warnings. these typical "your certificate is BROKEN" in your face warnings, that would make everybody besides myself check for new viruses on their pc while making sure the abort button is not some evil "sell your soul here" button.
I don't reaaaaaally need to get rid of the warning but I wanted to do it right. It seems I used cacert certificates before. They are really nice, but aren't really compatible with anyone who doesn't go to keysigning parties or at least knows what that is. So I took my already working StartCom SSL certificate, that I use for apache and mumble, pointed the config file to it and then screamed and shed tears of blood for the next couple of hours.
Because supplying your own certificate isn't enough. No, you have get the right combination of internmediate certificates, root certificates, your own public one and your private key. And just as a side note: EVERY program does is differently! So went to the internets and looked, which files I had to cat together four courier-imap, but instead of the gaping abyss of result-less google searches I got about 10 different possiblilites, which certificates to cat together. Also, there is the ascii-style .pem format and the .crt format. Or .crt formats. Because some .crts look exactly like .pems and some are binary garbage. And people are just throwing them together in files and one never knows, if the time they did this, a .crt had a .pem format or not.
Oh, did I mention? The order in which you pack these little freaky buggers together make a difference. Sometimes.
So.
What I want to say. To every body who writes config parsers and ssl apis. PLEASE make this easier. make one option for every kind of file. Try to look up intermediate certificates your self, so we don't have to supply them. To the SSL providers: provide these intermediate certificates!
And for all the lost courier-imap - configurating people out there:
TLS_CERTFILE -> make this point to a file that includes your public and private certificate (.pem)
TLS_TRUSTCERTS -> make this point to a file that includes first the intermediate certificate, then the root certificate (if that order make a differnce - I don't know, I don't care anymore)
No comments:
Post a Comment