Update to 3.0.2.5 deactivates official certificates in postfix

Report bugs and workarounds
Post Reply
jokr
Posts: 9
Joined: 30 Jul 2014 10:47

Update to 3.0.2.5 deactivates official certificates in postfix

Post by jokr » 05 Oct 2017 13:53

Hi !
Let's Encrypt mechanism is a nice idea. But we have some customers which force us to use "highend" certificates.
We edited /etc/postfix/main.cf to use these highend certificates located in /etc/postfix/ssl.
After the upgrade to 3.0.2.5 we had to re-edit main.cf and restart postfix to use our "highend" certificates.

TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: Update to 3.0.2.5 deactivates official certificates in postfix

Post by TheGr8Wonder » 05 Oct 2017 14:40

This is expected. The update from 3.0.2.4 -> 3.0.2.5 regenerates the self-signed cert from SHA1 2048bit to a SHA256 4096bit. With the regeneration of the cert, it also has a new name, to prepare for EC certs as well. The code assumes no modifications were made to eFa (pure vanilla system) and updates the cert used for Postfix and Apache to the new paths.

This is to ensure the security of the system is updated, regardless of prior certs used. While yes it's a nuisance for some admins, we still have to account for those that may not know what they're doing.

The path changes for Postfix and Apache are only going to be changed as the result of an upgrade to 3.0.2.5. Future updates will leave the existing cert paths in place. So if you have upgraded to 3.0.2.5 and have already re-mapped your certs, you should have nothing to worry going to 3.0.2.6 and future builds.

As far as the Let's Encrypt feature, once you enable it, it will update paths again accordingly to use the new cert. Once you disable Let's Encrypt, it will default the paths back to the self-signed cert generated in the 3.0.2.5 upgrade, and will not use prior paths if you had another 3rd party cert in-place beforehand.

I will be sure to update the 3.0.2.5 to make it clear about the certificate changes and the potential work required for prior 3rd party certs.

phideauxx
Posts: 16
Joined: 26 Feb 2015 18:21

Re: Update to 3.0.2.5 deactivates official certificates in postfix

Post by phideauxx » 13 Oct 2017 12:03

Would this be the same reason httpd wouldn't start after upgrade to 3.0.2.5 since I also have commercial certificates installed? Is there already a post with the additional instructions for those with custom certificates already installed after 3.0.2.5?
Last edited by phideauxx on 13 Oct 2017 12:06, edited 1 time in total.

TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: Update to 3.0.2.5 deactivates official certificates in postfix

Post by TheGr8Wonder » 13 Oct 2017 12:06

Yes. Any custom certificate paths used within postfix or apache, will need to be updated to correct values again.

All prior certs used for apache were backed up in "/etc/pki/tls/backup" in the upgrades from 3.0.2.4 to 3.0.2.5

Post Reply