Merging tlscertfile and tlscafile to only one TLS certificate
rjk at terraraq.uk
Wed Sep 8 22:25:17 UTC 2021
On 08/09/2021 21:47, Julien ÉLIE wrote:
> Hi all,
> A ticket has recently been opened regarding the use of tlscertfile and
> tlscafile. (Looks like it is easier to contact us via Github than Trac!)
> Currently, we have 2 files to deal with TLS certificates:
> - tlscertfile, from which INN loads only one certificate (the first);
> - tlscafile, from which INN loads all intermediary certificates.
> Another possibility would be to only have 1 parameter, pointing to a
> file containing the whole chain.
> I see in the inn.conf documentation:
> "Note that unlike Apache's SSLCertificateFile directive, tlscertfile
> should not contain a concatenation of certificates. Instead, if you
> have a certificate authority root certificate, set tlscafile to its path."
> Wouldn't it be better to do the same thing as Apache? Is there a reason
> for separating the certificates? (In case there is one global CA file
> for the news server shared with several applications, it might make
> sense to have it elsewhere so maybe that is the reason, though it seems
> confusing to people.)
From the original report:
| At the moment it is not possible to use a let's encrypt generated
certificate with nnrpd for this reason.
This doesn't seem to be true. I use LetsEncrypt certificates with INN
and it works fine.
- certbot's chain.pem corresponds to INN's tlscafile
- certbot's cert.pem corresponds to INN's tlscertfile
- certbot's fullchain.pem correponds to Apache's SSLCertificateFile
Matching Apache does seem like a good idea.
More information about the inn-workers