Correct, surge_cert.pem must contains the certificate (first) and any
intermediate certificates (after), and make sure the line terminations look
sane, sometimes email or something can munge them up.
surge_priv.pem is the key that your csr was created from, and MUST not
be changed after the csr is createed, if it is/was changed then your
certificates won't work.
After restarting surgemail it will tell you in mail.err if the key doesn't
match etc so check that for ssl issues. (And upgrade to our latest beta
which gives clearer errors)
No CSR's in any directory but I was wondering where it was stored.
Because it keeps coming up blank on my server. I just need the exact order in
which to get this to work.
----- Original Message -----
From: "Chris Ferebee" <email@example.com>
Sent: Thursday, November 13, 2014 2:08:13 PM
Subject: Spam:*********, Re: [SurgeMail List] SSL Issues
Just to be clear - you mention putting CSR files in the SSL directory, is
that a typo?
The CSR (Certificate Signing Request) is only needed when requesting the
cert from the CA. To use the certificate for TLS, you need the certificate and
the corresponding private key - the CSR is no longer required.
Surgemail can generate a private key for you and a corresponding CSR, but
you can also generate them in other ways, e. g. with the OpenSSL commandline.
In the end, you need the files
in the /usr/local/surgemail/ssl/ directory (or equivalent).
If you are serving multiple TLS domains via SNI, you need subdirectories
/usr/local/surgemail/ssl/domain.tld that contain surge_cert.pem and
surge_priv.pem files. Those certificate files will be used with SNI for TLS
requests that specify domain.tld, while Surgemail will serve the certificate
from the main ssl directory for any other domains. (Which will give you name
mismatch errors unless you have a wildcard certificate or one that lists
multiple appropriate SANs.)
Am 13.11.2014 um 17:19 schrieb Steven <firstname.lastname@example.org>:
I had a cert specifically for my mail server but then I upgraded to a
wildcard for the domain so I can use it for multiple servers.
I wanted to replace the cert so I pasted in the CSR I used in and then
the bundle ... what happened was the CSR field went blank, it showed my
cert, its issuer and all the other information except the domain it worked
for. It should have showen *.domain.com but it was blank.
I tried to put in the old CSR and old CERT just to revert back until I
figured out what I was doing wrong but it wouldn't accept that either. The
CSR remains blank even have a restart of the server etc.
So I really should only need 2 things for this certificate to work -
the CSR and the CERT (bundle in my base). I even tried to manually enter it
into the /usr/local/surgemail/ssl/surge_cert.pem without luck.
Bug or am I doing something wrong? This has always worked in the past.