Web lists-archives.com

Re: dumb question about SSL

On Fri, 11 Jan 2019 22:17:05 +0000
mick crane <mick.crane@xxxxxxxxx> wrote:

> I'm having a bit of bother with my home server thingy.
> does apache, roundcube, dovecot, cups.
> is buster.
> Is problem with roundcube communicating with dovecot or something. 
> sending mail times out and the settings webpage isn't working whereas
> it was fine  a week ago.
> It occurs to me I don't really understand how SSL works and if
> problem I have might be to do with that not understanding.
> You can make a self signed certificate, a public, private pair
> Apache says you can make one and Dovecot says you can make one.
> So are these SSL pairs separate things or one thing in one place that 
> identifies the machine.
> What happens if connect to running apache  over encryption then
> connect to running dovecot over webmail with encryption, does it
> expect different keys ?
> I'm a bit confused about it.
> are the keys particular to the machine ? the domain ? the software ?

To begin with, Debian will normally make the keys required by the
programs that actually need them, such as Apache and most mail servers.
Some programs don't need keys, but can use them (such as FreeRADIUS and
OpenVPN) so you then generally need to make them yourself. The EasyRSA
program makes that, as you would expect, easier, but if you intend to
make any but the most casual use of certificates, you ought to
understand what's going on, and should read a few OpenSSL tutorials.

A program used on the Net (pretty much just browsers) needs to be able
to trace the keys it finds back to a Certificate Authority that it
knows about i.e. a public one. Internal client-server programs don't
generally need to, so self-signed keys are OK. In fact, where keys are
used for authentication, such as with OpenVPN and FreeRADIUS, a private
Certificate Authority is vital. If OpenVPN will accept any client key
signed by a particular CA, then you need to keep that CA private, not
even sharing it with other programs on the same server.

> I dunno what I've done. I think I made some keys for apache the other 
> day to see if I could get ssl working ( is just local so I don't
> really need it, but anyway ) but perhaps I made keys from dovecot
> documentation a year or so ago.

Apache should be quite happy with the 'snakeoil' certificate made by
Debian when it is installed. There are a couple of other things that
need to be done for SSL to work (such as enabling the Apache SSL
module) and it's long enough ago that I did it last that you had better
look up a few tutorials. If you need to make your web server available
publicly (and the best of luck if you have the courage to do that) then
its certificate must be traceable back to a public CA.

> Perhaps there might be an issue that I changed my local domain from 
> "local" to "home" in that time. Could that have anything to do with
> it ?
> Should I delete all the ssl directories I can find to see if that
> helps ?

Probably not, just do a bit of reading. Note that Apache can also use
client certificates for authentication, a completely separate subject,
bear that in mind when you look for tutorials.