Correctly load certificates from /etc/ssl/private
This commit is contained in:
parent
ca4bc9d4ff
commit
7606e87a4c
|
@ -156,7 +156,7 @@ systemd:
|
|||
[Service]
|
||||
ExecStartPre=/bin/podman volume create --ignore letsencrypt-certificates
|
||||
ExecStart=
|
||||
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private/certificates $V && chown -R 10000:10000 $V"
|
||||
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private $V && chown -R 10000:10000 $V"
|
||||
ExecStartPost=/bin/podman volume unmount letsencrypt-certificates
|
||||
|
||||
storage:
|
||||
|
@ -197,7 +197,7 @@ storage:
|
|||
|
||||
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
|
||||
# generating certificates for the virtual host.
|
||||
- path: /etc/ssl/private/certificates/localhost/fullchain.pem
|
||||
- path: /etc/ssl/private/localhost/fullchain.pem
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
|
@ -220,7 +220,7 @@ storage:
|
|||
D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
|
||||
eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
|
||||
-----END CERTIFICATE-----
|
||||
- path: /etc/ssl/private/certificates/localhost/privkey.pem
|
||||
- path: /etc/ssl/private/localhost/privkey.pem
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
|
|
|
@ -444,14 +444,14 @@ realm=${COTURN_REALM}
|
|||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
#
|
||||
cert=/etc/ssl/private/certificates/${COTURN_REALM}/fullchain.pem
|
||||
cert=/etc/ssl/private/${COTURN_REALM}/fullchain.pem
|
||||
|
||||
# Private key file.
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
pkey=/etc/ssl/private/certificates/${COTURN_REALM}/privkey.pem
|
||||
pkey=/etc/ssl/private/${COTURN_REALM}/privkey.pem
|
||||
|
||||
# Private key file password, if it is in encoded format.
|
||||
# This option has no default value.
|
||||
|
|
|
@ -82,8 +82,8 @@ ssl_min_protocol = TLSv1.2
|
|||
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl_prefer_server_ciphers = no
|
||||
|
||||
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}/fullchain.pem
|
||||
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}/privkey.pem
|
||||
ssl_cert = </etc/ssl/private/${DOVECOT_HOST}/fullchain.pem
|
||||
ssl_key = </etc/ssl/private/${DOVECOT_HOST}/privkey.pem
|
||||
|
||||
protocol imap {
|
||||
mail_max_userip_connections = 25
|
||||
|
|
|
@ -8,8 +8,8 @@ server {
|
|||
listen 443 ssl;
|
||||
server_name ${SERVER_NAME} ${SERVER_NAME_ALT};
|
||||
|
||||
ssl_certificate /etc/ssl/private/certificates/${SSL_CERT_NAME}/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}/privkey.pem;
|
||||
ssl_certificate /etc/ssl/private/${SSL_CERT_NAME}/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/private/${SSL_CERT_NAME}/privkey.pem;
|
||||
|
||||
include resolver.conf;
|
||||
set $upstream_endpoint http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${UPSTREAM_PATH};
|
||||
|
|
|
@ -202,6 +202,6 @@ tls_ssl_options = no_ticket, no_compression
|
|||
tls_preempt_cipherlist = no
|
||||
|
||||
# Certificate file location.
|
||||
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/fullchain.pem
|
||||
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}/privkey.pem
|
||||
smtpd_tls_cert_file = /etc/ssl/private/${POSTFIX_HOST}/fullchain.pem
|
||||
smtpd_tls_key_file = /etc/ssl/private/${POSTFIX_HOST}/privkey.pem
|
||||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
||||
|
|
|
@ -185,7 +185,7 @@ openmetrics_allow_cidr = "10.89.0.0/16"
|
|||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "/etc/ssl/private/certificates"
|
||||
certificates = "/etc/ssl/private"
|
||||
|
||||
-- Allow TLS connections with additional, less secure ciphers, for compatibility with older clients.
|
||||
ssl = {
|
||||
|
|
Loading…
Reference in New Issue