Merging tlscertfile and tlscafile to only one TLS certificate

Richard Kettlewell rjk at terraraq.uk
Wed Sep 8 22:25:17 UTC 2021


On 08/09/2021 21:47, Julien ÉLIE wrote:
> Hi all,
> 
> A ticket has recently been opened regarding the use of tlscertfile and 
> tlscafile.  (Looks like it is easier to contact us via Github than Trac!)
>    https://github.com/InterNetNews/inn/issues/164
> 
> Currently, we have 2 files to deal with TLS certificates:
>   - tlscertfile, from which INN loads only one certificate (the first);
>   - tlscafile, from which INN loads all intermediary certificates.
> 
> Another possibility would be to only have 1 parameter, pointing to a 
> file containing the whole chain.
> 
> I see in the inn.conf documentation:
> "Note that unlike Apache's SSLCertificateFile directive, tlscertfile 
> should not contain a concatenation of certificates.  Instead, if you 
> have a certificate authority root certificate, set tlscafile to its path."
> 
> Wouldn't it be better to do the same thing as Apache?  Is there a reason 
> for separating the certificates?  (In case there is one global CA file 
> for the news server shared with several applications, it might make 
> sense to have it elsewhere so maybe that is the reason, though it seems 
> confusing to people.)
> 

 From the original report:

|  At the moment it is not possible to use a let's encrypt generated 
certificate with nnrpd for this reason.

This doesn't seem to be true. I use LetsEncrypt certificates with INN 
and it works fine.

- certbot's chain.pem corresponds to INN's tlscafile
- certbot's cert.pem corresponds to INN's tlscertfile
- certbot's fullchain.pem correponds to Apache's SSLCertificateFile

Matching Apache does seem like a good idea.

ttfn/rjk


More information about the inn-workers mailing list