Skip to content

Instantly share code, notes, and snippets.

@opi
Created June 4, 2014 17:50
Show Gist options
  • Save opi/e865d8e4e2cd1b4ef803 to your computer and use it in GitHub Desktop.
Save opi/e865d8e4e2cd1b4ef803 to your computer and use it in GitHub Desktop.
Yunohost: SSL with a Gandi certificate

# SSL with a Gandi certificate

Generer la csr (http://wiki.gandi.net/fr/ssl/csr)

openssl req -nodes -newkey rsa:2048 -keyout monserveur_encrypted.key -out serveur.csr

( n'oubliez pas d'entrer une passphrase pour securiser votre clé privée. )

Gandi renvoye 2 fichiers:

  • le certificat du domaine: certificate-XXXXX.crt
  • le certificat intermediaire GandiStandardSSLCA.pem

Il nous faut une version sans passphrase de la clé privée:

openssl rsa -in monserveur_encrypted.key -out key.pem

Cette clé doit uniquement etre accessible en lecture, par root

chown root:root key.pem
chmoc 400 key.pem

On renomme les 2 fichiers de certificats pour y voir plus clair:

mv certificate-XXXXX.crt crt.pem
mv GandiStandardSSLCA.pem ca.pem

Ensuite, on genere un fichier contenant les 2 certificats:

cat crt.pem ca.pem > crt-ca.pem

On obtient donc finalement 4 fichiers: key.pem, ca.pem, crt.pem, crt-ca.pem

nginx

ssl_certificate     /etc/yunohost/certs/owyd_net/crt-ca.pem;
ssl_certificate_key /etc/yunohost/certs/owyd_net/key.pem;

Mail

Fichier : /etc/dovecot/dovecot.conf

ssl_ca = </etc/yunohost/certs/owyd_net/ca.pem
ssl_cert = </etc/yunohost/certs/owyd_net/crt.pem
ssl_key = </etc/yunohost/certs/owyd_net/key.pem

## Metronome

Fichier : /etc/metronome/conf.d/domaine.conf

key = "/etc/yunohost/certs/owyd_net/key.pem";
certificate = "/etc/yunohost/certs/owyd_net/crt-ca.pem";

key & cert file might be readable by metronome user

chown root:metronome
chmod u+rw
chmod g+r
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment