Hi there,
I already have a wildcard certificate for my domain that I am installing MIAB for so have tried to install it manually. So I went to /home/user-data/ssl and replaced ssl_private_key.pem with my private key then pointed ssl_certificate.pem to my certificate. Unfortunately in System|SSL Certificates there an error message now:
“The private key file /home/user-data/ssl/ssl_private_key.pem is not a private key file.”
Well, it is actually. I created it using openssl as an EC private key and converted it now into unencrypted private key also using openssl, then copied into /home/user-data/ssl/ssl_private_key.pem.
What could have gone wrong? Should I have had left the ssl_private_key.pem unchanged and put my own key into a different place? Does MIAB not like EC keys? Other ideas? I’d prefer not to have to reissue the certificate with a new private key, I even do not know if I can do that without paying for it.
I have just noticed - accessing the admin UI per https shows no errors, my browser recognizes it as a valid configuration and can display my wildcard certificate, so the web server embedded in MIAB has found its way to it without a problem.
Thanks in advance,
Tomasz
I ask myself if the fact, that the embedded web server uses my certificate means that the mail server does it, too, and only ssl check has a problem now.
There’s a menu in the admin panel (TLS (SSL) Certificates) from which you can install manual certificates. I don’t know if the code behind that does something different then what you did, but it’s quite likely.
Did the manual process not work for you? It feels like the best way ahead is to restore, or re-generate the mailinabox key and certificate and then use the manual process.
I do know that the mailinabox code will parse all certificates that are stored in user-data/ssl so I guess that’s why it’s working.
ssl_certificates.py line 508:
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
My private key is EC not RSA - this will be the reason for the wrong error message.
nginx works because it just uses the files pointed to by the appropriate variables and obviously can run using EC based key/certificate pair.
postfix and dovecot are also using the proper file names, meaning they use my own certificate.
So it looks like all should work, just the error message is misleading.
Now I have to find out how to disable letsencrypt from overwriting my files (I have no idea if it does but better check it up than being sorry).
I have just created a PR containing changes that will allow elliptic curve private keys and SSL certificates to be used additionally to RSA.
Now that I’ve found my way into the code I begun to like MIAB :-).
Nice work! Mind if I ask, how did you find this? Did you use any linux text parsing tools or just drilled down into the files until you found something suspicious?
I’m glad you like it!
I have looked for files with names containing ‘ssl’ and then read and analyzed the code.
Reading and analyzing code is my job (among other things…), so it wasn’t particularly difficult.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.