question about man starttls and linking to cert.pem

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

question about man starttls and linking to cert.pem

freda_bundchen
Synopsis:    man starttls linking new certificate to cert.pem problem
Category:    documentation
Environment:
    System      : OpenBSD 6.5
    Details     : OpenBSD 6.5-current (GENERIC.MP) #184: Wed Aug  7 21:37:16 MDT 2019
             [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

    Architecture: OpenBSD.amd64
    Machine     : amd64
Description:
    man starttls says one can link a new certificate to cert.pem with
        ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not intend
but link will
        fail since /etc/ssl/cert.pem exists already
How-To-Repeat:
man starttls

    I apologize, maybe it's not an error at all, so I'm writing to misc instead of bugs.
I don't understand why one create this link, and I haven't been able to find an explanation
on the lists or elsewhere. Any explanation would be greatly appreciated.

The reason I am asking about it is  that I am forwarding all mail from
one server to another using starttls and opensmtpd, and it works fine with tls no-verify
without creating the link to cert.pem. Also, if one does create the
link (perhaps backing up cert.pem first) then sysupgrade will fail
since it expects the original cert.pem. Also if running unbound, one
would need to use the original cert.pem (or whatever it was renamed to)
if using tls-bundle and DNS-over-TLS, I think.



Reply | Threaded
Open this post in threaded view
|

Re: question about man starttls and linking to cert.pem

Ted Unangst-6
[hidden email] wrote:
> Description:
>     man starttls says one can link a new certificate to cert.pem with
>         ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem if one does not intend

That entire section seems dumb and outdated. I would prefer we simply not give
any advice here. Users can figure out what they need to do. Installing the
public cert needs to be done on many other machines, not just the one where
it's generated.

Index: starttls.8
===================================================================
RCS file: /home/cvs/src/share/man/man8/starttls.8,v
retrieving revision 1.26
diff -u -p -r1.26 starttls.8
--- starttls.8 27 Jun 2018 05:39:02 -0000 1.26
+++ starttls.8 11 Aug 2019 02:20:01 -0000
@@ -102,18 +102,6 @@ with the following command:
 .Pp
 .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text
 .Pp
-If you don't intend to use TLS for authentication (and if you are using
-self-signed certificates you probably don't) you can simply link
-your new certificate to
-.Pa cert.pem :
-.Pp
-.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/cert.pem
-.Pp
-If, on the other hand, you intend to use TLS for authentication
-you should add your certificate authority bundle to
-.Pa /etc/ssl/cert.pem
-(or whatever your software expects).
-.Pp
 Because the private key files are unencrypted,
 MTAs can be picky about using tight permissions on those files.
 The certificate directory and the files therein should be

Reply | Threaded
Open this post in threaded view
|

Re: question about man starttls and linking to cert.pem

Chris Bennett-4
Thanks, that had me confused when I read it, so I just ignored it.
Glad to know I did, as in didn't, do what it suggested except once.

Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: question about man starttls and linking to cert.pem

Todd C. Miller-3
In reply to this post by Ted Unangst-6
On Sat, 10 Aug 2019 22:22:05 -0400, "Ted Unangst" wrote:

> That entire section seems dumb and outdated. I would prefer we
> simply not give any advice here. Users can figure out what they
> need to do. Installing the public cert needs to be done on many
> other machines, not just the one where its generated.

Fine with me.  I wonder if we shouldn't also mention acme-client
here too.  Something for another diff...

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: question about man starttls and linking to cert.pem

Gilles Chehade-7
On Sun, Aug 11, 2019 at 07:17:06AM -0600, Todd C. Miller wrote:

> On Sat, 10 Aug 2019 22:22:05 -0400, "Ted Unangst" wrote:
>
> > That entire section seems dumb and outdated. I would prefer we
> > simply not give any advice here. Users can figure out what they
> > need to do. Installing the public cert needs to be done on many
> > other machines, not just the one where its generated.
>
> Fine with me.  I wonder if we shouldn't also mention acme-client
> here too.  Something for another diff...
>

I was wondering the same actually.

It's interesting to have instruction for generating self-signed cert but
most people will want a cert that others will validate so it makes sense
to at least extend the man page (in another diff) in my opinion.

--
Gilles Chehade       @poolpOrg

https://www.poolp.org            patreon: https://www.patreon.com/gilles

Reply | Threaded
Open this post in threaded view
|

Re: question about man starttls and linking to cert.pem

Todd C. Miller-3
On Sun, 11 Aug 2019 16:03:39 +0200, Gilles Chehade wrote:

> It's interesting to have instruction for generating self-signed cert but
> most people will want a cert that others will validate so it makes sense
> to at least extend the man page (in another diff) in my opinion.

And if we do that we should also at least mention MTA-STS.

 - todd