From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from a-painless.mh.aa.net.uk ([81.187.30.51]) by ewsd; Tue Mar 20 09:11:56 EDT 2018
Received: from 10.190.187.81.in-addr.arpa ([81.187.190.10] helo=quintile.net)
	by a-painless.mh.aa.net.uk with esmtp (Exim 4.89)
	(envelope-from <steve@quintile.net>)
	id 1eyH3C-0002HM-U3
	for 9front@9front.org; Tue, 20 Mar 2018 13:11:39 +0000
Message-ID: <6d5175ecdea4a1c38147722992202ba9@quintile.net>
From: "Steve Simon" <steve@quintile.net>
Date: Tue, 20 Mar 2018 13:11:34 +0000
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
In-Reply-To: <a29fc55b-08a3-74d0-3f89-071659333bac@hera.eonet.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: information SOAP over SSL firewall factory standard 

Hi Kenji,

I believe /sys/lib/ssl is just historic, smtpd still uses it as the default
place to find TLS/SSL certificates but I override it on the command line on my server.

My /rc/bin/service/tcp465 contains

	exec /bin/tlssrv -c /sys/lib/tls/mail.pem -l ssmtpd -r `{cat $3/remote} /bin/upas/smtpd -a -g -n $3

I wrote some notes on how to generate a new certificate as my self-signed one expired a year or so ago.

--------------------------------------
make a safe (not backed up) place to work
	ramfs
	cd /tmp

generate a key pair

	auth/rsagen -b 2048 -t 'service=tls role=client owner=*' > key.rsa

generate a certificate 

	auth/rsa2x509 'C=GB CN=*.mydomain.dom' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem

you can check your certificate using the web interface:

	https://certlogik.com

Update your secstore - used for sending email

	auth/secstore -G factotum > factotum.old
	grep -v 'service=tls role=client owner=*' factotum.old > factotum
	cat key.rsa >> factotum
	diff factotum factotum.old
	auth/secstore -p factotum


Update bootes secstore - used by imap4d and pop3d

	auth/secstore -G factotum > factotum.old
	grep -v 'service=tls role=client owner=*' factotum.old > factotum
	cat key.rsa >> factotum
	diff factotum factotum.old
	auth/secstore -p factotum

install the certificate here to allow httpd to speak https

	cp key.pem /usr/web/sitename.pem
	chmod 644 /usr/web/sitename.pem

install the certificate here to allow smtpd to speak EHLO 

	cp key.pem /sys/lib/tls/mail
	chmod 644 /sys/lib/tls/mail

reboot server so it re-reads bootes factotum

you can check check email is working using:

	https://www.checktls.com/perl/live/TestReceiver.pl


-Steve