mkcert.sh dovecot-openssl.cnf

I have the same problem, the only difference is that I don't have dovecot-openssl.cnf on my system, dpkg -L on dovecot-(common|imapd|pop3d) do not show mkcert.sh and dovecot-openssl.cnf.

This is annoying when you want to setup dovecot with SSL and there are no means to accomplish this with the Ubuntu package.

Just had the same problem. Setting to confirmed.

/usr/share/doc/dovecot-common/configuration.txt.gz is also less than "optimally" worded to reflect the situation. Why first say "do x" and then "unless you are on Debian". Well, we are on Ubuntu anyway ;-)

I've copied it from fedora, it works fine.

We have the ssl-cert package to provide simple SSL-certificates. It also allows you to regenerate them easily (see the man page for make-ssl-cert). In my opinion, providing simple means for making self-signed certificates with custom information in it will just provide a false sense of security. If you want this, the proper way to do it is to set up a proper CA and install the root certificate on each machine that needs to authenticate the server.

In short: I think the lack of these scripts is in fact a good thing. If your certificate is about to expire, make-ssl-cert is the solution. If you want your own info in the certificate, you should set up a CA (which is really not very difficult. There are plenty of howtos on that subject floating around). If you insist on doing this the wrong way, you can edit /usr/share/ssl-cert/ssleay.cnf. Be aware, though, that it's not a config file in the dpkg sense, so it *will* be overwritten when ssl-cert is updated (which happens very rarely).

Unless someone has good arguments against it, I'll reject this bug in about a week.

I think I ran into this issue when trying to set up a certificate with cacert.org (you have to create it yourself). No need to set up my own CA for that which I think is over the top whether or not there are howtos floating around. I am not a security expert, but I was looking for an unobtrusive way to provide an SSL-secured web server that my clients can access adn exchange information in a a secure fashion. The cacert.org philosophy has a lot going for it me thinks.

Rolf, you are completely right. cacert.org is definitely a really good way to go about this. I can't believe I didn't think of it.

Setting to "won't fix". Rationale given a few comments up.

> Setting to "won't fix". Rationale given a few comments up.

What? How come you all of the sudden completely forgot about comment 6 and 7? Reopening.

On Wed, Aug 01, 2007 at 02:58:02PM -0000, Rolf Leggewie wrote:
> > Setting to "won't fix". Rationale given a few comments up.
> What? How come you all of the sudden completely forgot about comment
> 6 and 7? Reopening.

What makes you think I forgot about them? In comment 5, I said: "Unless
someone has good arguments against it, I'll reject this bug in about a
week." Comments 6 and 7 are a bit of discussion about what to do instead
of using mkcert.sh. How does the fact that the two of us agreed that
CACert is a good solution constitute good arguments against closing the
bug? You want a reference to CACert in the documentation or what?

--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/

you asked for examples of where your argument "the current solution is adequate if not even a plus" is not valid - creating certificates for use with cacert.org. I thought you agreed to this in comment 7.

If I am mistaken, then please tell me how you think one should go about creating and recreating ssl certificates for use with cacert.org. Thank you.

On Mon, Aug 27, 2007 at 09:00:38AM -0000, Rolf Leggewie wrote:
> you asked for examples of where your argument "the current solution is
> adequate if not even a plus" is not valid - creating certificates for
> use with cacert.org. I thought you agreed to this in comment 7.

You've completely lost me here. I thought you suggested using CACert.org
instead of setting up a CA yourself?

> If I am mistaken, then please tell me how you think one should go
> about creating and recreating ssl certificates for use with
> cacert.org. Thank you.

You don't create certificates for use with CACert. CACert is a CA,
meaning *they* provide *you* with certificates based on CSR's. CACert
documents how to create a CSR here: http://www.cacert.org/help.php?id=4

How did mkcert.sh help you in this respect?

--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/

There is a similar issue with apache2: See bug 77675.

One suggestion could be to add a shell script to replace mkcert.sh that just tells the user to use the ssl-cert package. That way, all the documentation that refers to mkcert,sh is still valid and a pointer is given to use a better solution.

I'll throw my weight behind adding mkcert.sh to the package. The rationale is that if you google for "dovecot ssl" you'll be presented with the dovecot.org wiki pages that describe using mkcert.sh. So naturally you're going to want to try that simple approach and will fail on Ubuntu.

Simple self-signed certificates are perfectly fine in a homebrew network. When I'm out on the road, I just want an encrypted tunnel to the imap server (and smtp server) on my home network. I trust my own signed certs, so I don't need anything else. The lack of mkcert.sh in the Ubuntu package for dovecot makes life harder.

/etc/dovecot/conf.d/10-ssl.conf, ll. 11-12: "Included doc/mkcert.sh can be used to easily generate self-signed certificate [...]"
At the very least, the comment in the conf should be fixed. The way it is, I read that, locate'd unsuccessfully, scratched my head, did a web search and... here I am. Sub-optimal.

ubuntu@ubuntu-bionic:~$ grep mkcert /etc/dovecot/conf.d/10-ssl.conf
# root. Included doc/mkcert.sh can be used to easily generate self-signed
ubuntu@ubuntu-bionic:~$ locate mkcert.sh
/usr/share/dovecot/mkcert.sh

Originally reported issue appears to be fixed now.