Page 1 of 1

Update to 3.0.2.5 deactivates official certificates in postfix

Posted: 05 Oct 2017 13:53
by jokr
Hi !
Let's Encrypt mechanism is a nice idea. But we have some customers which force us to use "highend" certificates.
We edited /etc/postfix/main.cf to use these highend certificates located in /etc/postfix/ssl.
After the upgrade to 3.0.2.5 we had to re-edit main.cf and restart postfix to use our "highend" certificates.

Re: Update to 3.0.2.5 deactivates official certificates in postfix

Posted: 05 Oct 2017 14:40
by TheGr8Wonder
This is expected. The update from 3.0.2.4 -> 3.0.2.5 regenerates the self-signed cert from SHA1 2048bit to a SHA256 4096bit. With the regeneration of the cert, it also has a new name, to prepare for EC certs as well. The code assumes no modifications were made to eFa (pure vanilla system) and updates the cert used for Postfix and Apache to the new paths.

This is to ensure the security of the system is updated, regardless of prior certs used. While yes it's a nuisance for some admins, we still have to account for those that may not know what they're doing.

The path changes for Postfix and Apache are only going to be changed as the result of an upgrade to 3.0.2.5. Future updates will leave the existing cert paths in place. So if you have upgraded to 3.0.2.5 and have already re-mapped your certs, you should have nothing to worry going to 3.0.2.6 and future builds.

As far as the Let's Encrypt feature, once you enable it, it will update paths again accordingly to use the new cert. Once you disable Let's Encrypt, it will default the paths back to the self-signed cert generated in the 3.0.2.5 upgrade, and will not use prior paths if you had another 3rd party cert in-place beforehand.

I will be sure to update the 3.0.2.5 to make it clear about the certificate changes and the potential work required for prior 3rd party certs.

Re: Update to 3.0.2.5 deactivates official certificates in postfix

Posted: 13 Oct 2017 12:03
by phideauxx
Would this be the same reason httpd wouldn't start after upgrade to 3.0.2.5 since I also have commercial certificates installed? Is there already a post with the additional instructions for those with custom certificates already installed after 3.0.2.5?

Re: Update to 3.0.2.5 deactivates official certificates in postfix

Posted: 13 Oct 2017 12:06
by TheGr8Wonder
Yes. Any custom certificate paths used within postfix or apache, will need to be updated to correct values again.

All prior certs used for apache were backed up in "/etc/pki/tls/backup" in the upgrades from 3.0.2.4 to 3.0.2.5