Davecot CA certificate is copied to / directory [#49249]

Submitted by yngens on Fri, 03/03/2017 - 09:30

With Webmin version 1.831, Virtualmin version 5.06 and Authentic Theme 18.32 when copying the current SSL certificate to Davecot it gives:

Copying certificate and key to Dovecot files ..
.. wrote out certificate in /etc/pki/dovecot/certs/dovecot.pem, key in /etc/pki/dovecot/private/dovecot.pem and CA cert in /dovecot.ca.pem
Enabling SSL in Dovecot configuration ..
.. done

and indeed firing the "ls -l /" command shows the "dovecot.ca.pem" in the main / directory of server, which is not a good place to store certificates at all.

Status:

Active

Comments

Submitted by yngens on Fri, 03/03/2017 - 09:33 Comment #1

I believe this is happening because the /etc/dovecot/conf.d/10-ssl.conf file has correct lines:

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

but incorrect line for:

ssl_ca = </dovecot.ca.pem

I don't know when this become broken, but the instructions right above that line indicate:

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)

Submitted by yngens on Fri, 03/03/2017 - 09:35 Comment #2

Had to

mv /dovecot.ca.pem /etc/pki/dovecot/certs/ca.pem
service dovecot restart

but please have this fixed on *min depository code.

Submitted by JamieCameron on Fri, 03/03/2017 - 10:53 Comment #3

The 5.07 release of Virtualmin (due out in a few days) will "fix" this issue by not creating the ssl.ca file at all, as it turns out this is the wrong way to configure Dovecot. Instead, the CA cert will be appended to the domain's cert file.