Multiple Email SSL certificates

youds

youds

Verified User
Joined
Jul 11, 2008
Messages
477
Location
Lancashire, UK
Hi

How are you guys handling multiple SSL certificates for users?
I've installed a server wide SSL certificate from a Certificate Authority however I have individual certificates for different subdomains and domain names that I wish to use.
Dovecot needs version 2 (see here http://wiki.dovecot.org/SSL/DovecotConfiguration) and CustomBuild supports 1.2 (with no method of upgrading I can find)

What's the solution?
 
Code: 
cd /usr/local/directadmin/custombuild
./build update
./build set autover no
wget -O dovecot-2.0.beta6.tar.gz http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta6.tar.gz
perl -pi -e 's/dovecot:1.2.11:bdac013fd57aa616ea4bdd9ac34557c6/dovecot:2.0.beta6:03e6cdae279dc8ece338b1bb30ba434b/' versions.txt
mkdir -p /etc/dovecot
ln -s /etc/dovecot.conf /etc/dovecot/dovecot.conf
wget -O /etc/dovecot.conf http://www.custombuild.eu/dovecot.conf
./build dovecot
 
Last edited:
Have to say, I'm having problems with this.
The configuration I'm using is here http://paste2.org/p/868252, but the certificates aren't recognised unless they are outside of the configuration block.
I've been in their IRC channel and spoke to 2 people however we weren't able to come up with a solution

Version:
Code: 
[root@jupiter-ilo ssl]# dovecot --version
2.0.beta5
[root@jupiter-ilo ssl]#

If anybody can offer any suggestions I'd be very grateful.
 
I continued to look into this and went back to their IRC channel.
The 2 people I was talking too were developers and one said it is possible it could be broken.
Does anybody have multiple SSL certificates working on their setup?
 
Hi

Quick update on this.
It works with DirectAdmin using CustomBuild when specifying IP addresses. You can then connect to any host pointing to that IP address and the certificate will be used. Specifying the host doesn't work (latest nightly build) although I'm told it could be down to a DNS configuration issue, they are looking into it.

Dovecot: 2.0.beta5 (2d6cf78982dc)
My named/bind version: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2

Sample configuration:
Code: 
local 195.191.156.156 {
  ssl_cert = </etc/ssl/mail.youds.com.crt
  ssl_key = </etc/ssl/mail.youds.com.key
}
local jupiter-ilo.youds.com {
  ssl_cert = </etc/ssl/jupiter-ilo.youds.com.crt
  ssl_key = </etc/ssl/jupiter-ilo.youds.com.key
}

ssl_cert = </etc/ssl/jupiter-ilo.youds.com.crt
ssl_key = </etc/ssl/jupiter-ilo.youds.com.key

Result:
Code: 
[root@jupiter-ilo ~]# openssl s_client -connect mail.youds.com:993|grep CNdepth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /serialNumber=mtH-aU7y/k0ESREU5H4EPcKMI/uAcLjw/C=GB/O=mail.youds.com/OU=GT90588235/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=mail.youds.com
verify return:1
 0 s:/serialNumber=mtH-aU7y/k0ESREU5H4EPcKMI/uAcLjw/C=GB/O=mail.youds.com/OU=GT90588235/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=mail.youds.com
subject=/serialNumber=mtH-aU7y/k0ESREU5H4EPcKMI/uAcLjw/C=GB/O=mail.youds.com/OU=GT90588235/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=mail.youds.com

[root@jupiter-ilo ~]# openssl s_client -connect jupiter-ilo.youds.com:993|grep CN
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /serialNumber=cqmk5TjtkGvmwR/F24d31AQcBJOxTh2X/C=GB/O=jupiter-ilo.youds.com/OU=GT59394298/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=jupiter-ilo.youds.com
verify return:1
 0 s:/serialNumber=cqmk5TjtkGvmwR/F24d31AQcBJOxTh2X/C=GB/O=jupiter-ilo.youds.com/OU=GT59394298/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=jupiter-ilo.youds.com
subject=/serialNumber=cqmk5TjtkGvmwR/F24d31AQcBJOxTh2X/C=GB/O=jupiter-ilo.youds.com/OU=GT59394298/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=jupiter-ilo.youds.com

[root@jupiter-ilo ~]#

Hope this helps somebody. If I get it working for local hostname.domain.com { ... } I'll let you know.
 
You must log in or register to reply here.
Back
Top