dumb question about SSL

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

dumb question about SSL

mick crane
I'm having a bit of bother with my home server thingy.
does apache, roundcube, dovecot, cups.
is buster.
Is problem with roundcube communicating with dovecot or something.
sending mail times out and the settings webpage isn't working whereas it
was fine  a week ago.

It occurs to me I don't really understand how SSL works and if problem I
have might be to do with that not understanding.
You can make a self signed certificate, a public, private pair
Apache says you can make one and Dovecot says you can make one.
So are these SSL pairs separate things or one thing in one place that
identifies the machine.
What happens if connect to running apache  over encryption then connect
to running dovecot over webmail with encryption, does it expect
different keys ?
I'm a bit confused about it.
are the keys particular to the machine ? the domain ? the software ?

I dunno what I've done. I think I made some keys for apache the other
day to see if I could get ssl working ( is just local so I don't really
need it, but anyway ) but perhaps I made keys from dovecot documentation
a year or so ago.

Perhaps there might be an issue that I changed my local domain from
"local" to "home" in that time. Could that have anything to do with it ?

Should I delete all the ssl directories I can find to see if that helps
?

mick




--
Key ID    4BFEBB31

Reply | Threaded
Open this post in threaded view
|

Re: dumb question about SSL

Roberto C. Sánchez-2
On Fri, Jan 11, 2019 at 10:17:05PM +0000, mick crane wrote:

> I'm having a bit of bother with my home server thingy.
> does apache, roundcube, dovecot, cups.
> is buster.
> Is problem with roundcube communicating with dovecot or something. sending
> mail times out and the settings webpage isn't working whereas it was fine  a
> week ago.
>
> It occurs to me I don't really understand how SSL works and if problem I
> have might be to do with that not understanding.
> You can make a self signed certificate, a public, private pair
> Apache says you can make one and Dovecot says you can make one.
> So are these SSL pairs separate things or one thing in one place that
> identifies the machine.
> What happens if connect to running apache  over encryption then connect to
> running dovecot over webmail with encryption, does it expect different keys
> ?
> I'm a bit confused about it.
> are the keys particular to the machine ? the domain ? the software ?
>
> I dunno what I've done. I think I made some keys for apache the other day to
> see if I could get ssl working ( is just local so I don't really need it,
> but anyway ) but perhaps I made keys from dovecot documentation a year or so
> ago.
>
> Perhaps there might be an issue that I changed my local domain from "local"
> to "home" in that time. Could that have anything to do with it ?
>
There are so many variables involved here that it is difficult to guess
at what is going wrong.

Please post specific error messages that you are seeing, either in your
client applications or in the server logs.

> Should I delete all the ssl directories I can find to see if that helps ?
>
That sounds rather extreme and seems likely to result in causing a
different set of problems.

I taught a class a little over two years ago specifically on SSL
certificate authority and server/client certificate creation and
deployment.  If you contact me off-list, I can email you the
documentation (I never got around to posting it online).  You might find
some useful things in there.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: dumb question about SSL

Joe Rowan
In reply to this post by mick crane
On Fri, 11 Jan 2019 22:17:05 +0000
mick crane <[hidden email]> wrote:

> I'm having a bit of bother with my home server thingy.
> does apache, roundcube, dovecot, cups.
> is buster.
> Is problem with roundcube communicating with dovecot or something.
> sending mail times out and the settings webpage isn't working whereas
> it was fine  a week ago.
>
> It occurs to me I don't really understand how SSL works and if
> problem I have might be to do with that not understanding.
> You can make a self signed certificate, a public, private pair
> Apache says you can make one and Dovecot says you can make one.
> So are these SSL pairs separate things or one thing in one place that
> identifies the machine.
> What happens if connect to running apache  over encryption then
> connect to running dovecot over webmail with encryption, does it
> expect different keys ?
> I'm a bit confused about it.
> are the keys particular to the machine ? the domain ? the software ?
>

To begin with, Debian will normally make the keys required by the
programs that actually need them, such as Apache and most mail servers.
Some programs don't need keys, but can use them (such as FreeRADIUS and
OpenVPN) so you then generally need to make them yourself. The EasyRSA
program makes that, as you would expect, easier, but if you intend to
make any but the most casual use of certificates, you ought to
understand what's going on, and should read a few OpenSSL tutorials.

A program used on the Net (pretty much just browsers) needs to be able
to trace the keys it finds back to a Certificate Authority that it
knows about i.e. a public one. Internal client-server programs don't
generally need to, so self-signed keys are OK. In fact, where keys are
used for authentication, such as with OpenVPN and FreeRADIUS, a private
Certificate Authority is vital. If OpenVPN will accept any client key
signed by a particular CA, then you need to keep that CA private, not
even sharing it with other programs on the same server.

> I dunno what I've done. I think I made some keys for apache the other
> day to see if I could get ssl working ( is just local so I don't
> really need it, but anyway ) but perhaps I made keys from dovecot
> documentation a year or so ago.
>

Apache should be quite happy with the 'snakeoil' certificate made by
Debian when it is installed. There are a couple of other things that
need to be done for SSL to work (such as enabling the Apache SSL
module) and it's long enough ago that I did it last that you had better
look up a few tutorials. If you need to make your web server available
publicly (and the best of luck if you have the courage to do that) then
its certificate must be traceable back to a public CA.

> Perhaps there might be an issue that I changed my local domain from
> "local" to "home" in that time. Could that have anything to do with
> it ?
>
> Should I delete all the ssl directories I can find to see if that
> helps ?

Probably not, just do a bit of reading. Note that Apache can also use
client certificates for authentication, a completely separate subject,
bear that in mind when you look for tutorials.

--
Joe

Reply | Threaded
Open this post in threaded view
|

Re: dumb question about SSL

Roberto C. Sánchez-2
On Sat, Jan 12, 2019 at 09:27:01AM +0000, Joe wrote:
>
> Apache should be quite happy with the 'snakeoil' certificate made by
> Debian when it is installed.

Which should not be used in production or even in testing, as it
increases the likelihood that it will accidentally be deployed that way.

> There are a couple of other things that
> need to be done for SSL to work (such as enabling the Apache SSL
> module) and it's long enough ago that I did it last that you had better
> look up a few tutorials. If you need to make your web server available
> publicly (and the best of luck if you have the courage to do that) then
> its certificate must be traceable back to a public CA.
>
That depends on who will be accessing the server in a way that requires
trusting the server.  A self-managed CA or even a self-signed
certificate may be perfectly adequate for a single user or small number
of users.

Regards,

-Roberto

--
Roberto C. Sánchez