include chain and privkey files for tls_config
ClosedPublic

Authored by dhoffend on Nov 28 2016, 12:06 AM.

Details

Reviewers
None
Group Reviewers
Restricted Project
Commits
rGe3a5c9080906: include chain and privkey files for tls_config
Summary

Include more tls options in the example configuration. If you want to
correctly configure your ssl certificate including the intermediate servers
it's important to configure the cacertfile otherwise the chain is omitted in
the ssl response. (tested with openssl s_client).

The documentation should be updated as well.

Diff Detail

Repository
rG guam
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
dhoffend retitled this revision from to include chain and privkey files for tls_config.Nov 28 2016, 12:06 AM
dhoffend updated this object.
dhoffend edited the test plan for this revision. (Show Details)
dhoffend added a reviewer: Restricted Project.

IMO the kolab-docs documention should be updated as well like the pykolab/setup-kolab template.

Note that you can put all of these in a single .pem file as well, haproxy-style. But it is nice to show these options as well. Will merge... Thanks! :)

Closed by commit rGe3a5c9080906: include chain and privkey files for tls_config (authored by dhoffend, committed by Aaron Seigo <seigo@kolabsystems.com>). · Explain WhyNov 30 2016, 10:18 AM
This revision was automatically updated to reflect the committed changes.
In D314#4064, @seigo wrote:

Note that you can put all of these in a single .pem file as well, haproxy-style. But it is nice to show these options as well. Will merge... Thanks! :)

I've tried it and it didn't worked. While the certificate and the key got loaded and served correctly, the included certificate chain wasn't provided when I tested the guam connection with openssl s_client -connect ...

That's why I was searching for the correct attributes.

Another reason for this was the usage for LetsEncrypt certbot client. The client automatically generates separate files for cert + chain + key and not a combined file for all 3. So I though it would be good to provide the user the documentation on all 3 required attributes. This makes a future lets-encrypt doc easier to start with. ... maybe when I found some time.