SurgeMail Archive: re: Re: [SurgeMail List] SSL Issues

Subject:	re: Re: [SurgeMail List] SSL Issues
From:	surgemail-support
Date:	13-Nov-2014
Right after you get the CERT you don't need the CSR anymore - but Surgemail wants to see it in there correct? No surgemail doesn't need it, it does show it to you. The surge_cert.pem is what the actual cert or the bundle that godaddy gives you? I have both available.. I've tried both without luck. the surge_priv.pem is the key that was used to generate the CSR right? So I should have the original key in this file. Correct, surge_cert.pem must contains the certificate (first) and any intermediate certificates (after), and make sure the line terminations look sane, sometimes email or something can munge them up. surge_priv.pem is the key that your csr was created from, and MUST not be changed after the csr is createed, if it is/was changed then your certificates won't work. After restarting surgemail it will tell you in mail.err if the key doesn't match etc so check that for ssl issues. (And upgrade to our latest beta which gives clearer errors) ChrisP. No CSR's in any directory but I was wondering where it was stored. Because it keeps coming up blank on my server. I just need the exact order in which to get this to work. ----- Original Message ----- From: "Chris Ferebee" <cf@ferebee.net> To: surgemail-list@netwinsite.com Sent: Thursday, November 13, 2014 2:08:13 PM Subject: Spam:********, Re: [SurgeMail List] SSL Issues Steve, Just to be clear - you mention putting CSR files in the SSL directory, is that a typo? The CSR (Certificate Signing Request) is only needed when requesting the cert from the CA. To use the certificate for TLS, you need the certificate and the corresponding private key - the CSR is no longer required. Surgemail can generate a private key for you and a corresponding CSR, but you can also generate them in other ways, e. g. with the OpenSSL commandline. In the end, you need the files surge_cert.pem and surge_priv.pem in the /usr/local/surgemail/ssl/ directory (or equivalent). If you are serving multiple TLS domains via SNI, you need subdirectories /usr/local/surgemail/ssl/domain.tld that contain surge_cert.pem and surge_priv.pem files. Those certificate files will be used with SNI for TLS requests that specify domain.tld, while Surgemail will serve the certificate from the main ssl directory for any other domains. (Which will give you name mismatch errors unless you have a wildcard certificate or one that lists multiple appropriate SANs.) Best, Chris Am 13.11.2014 um 17:19 schrieb Steven <steve@wavedirect.org>: I had a cert specifically for my mail server but then I upgraded to a wildcard for the domain so I can use it for multiple servers. I wanted to replace the cert so I pasted in the CSR I used in and then the bundle ... what happened was the CSR field went blank, it showed my cert, its issuer and all the other information except the domain it worked for. It should have showen .domain.com but it was blank. I tried to put in the old CSR and old CERT just to revert back until I figured out what I was doing wrong but it wouldn't accept that either. The CSR remains blank even have a restart of the server etc. So I really should only need 2 things for this certificate to work - the CSR and the CERT (bundle in my base). I even tried to manually enter it into the /usr/local/surgemail/ssl/surge_cert.pem without luck. Bug or am I doing something wrong? This has always worked in the past. Using 6.7c-1

Last Message | Next Message


Search website: