All-in-one certificate file for obscure server software (ZNC)


#1

Having gotten LetsEncrypt configured to do almost everything on my server automatically, there’s one key component missing for the rest. Several server applications I use signed certificates for (ZNC and WeeChat relays for two) expect everything including the key to be in a single PEM.

Could we get the client to issue a ‘everything.pem’ file so that I don’t have to throw something like cat {privkey,cert,chain}.pem > everything.pem into a cronjob?


#2

I have heard other reports of software that wants particular bundle combinations other than those in chain.pem and fullchain.pem, so we could potentially consider creating other bundles too for greater software compatibility. Right now, I’m just concerned about confusing administrators by providing so many bundles; we’ve already seen some people get confused about the difference between chain.pem and fullchain.pem (like nginx users who end up configuring chain.pem not realizing that fullchain.pem was intended for them), and perhaps this problem would get worse if we offered even more bundles to choose from. So I think the biggest difficulty is somehow conveying to each user which file or files are relevant to their application.


#3

Perhaps the client could take options for which bundles to generate, and come with ‘presets’ like --apache, --nginx that specify which specific ones you need? That caters to both power users who specify the exact bundles they want, and to the layman who just tells it “I’m using Apache” and it uses the Apache plugin and generates the files Apache needs.

Being little more than a layman myself, I’m not sure what the flaws inherent in that are, however.


#4

Courier-imap is another application that wants the key and cert in the same .pem file.


#5

Dovecot gave me issues as well


#6

I just looked into this, I have a bouncer running on my server… I wasn’t originally going to update it since I’m the only user… However, it is easy!

ZNC Documentation

RTFM! But, if you don’t… All you have to do is cat over your privkey.pem to a file called znc.pem (or any name) then cat over your cert, and the intermedia ca cert. So you end up with a text file that has (IN THIS ORDER)

privkey.pem
cert.pem
chain.pem

There is no need to do the key exchange either, worked fine for me without it.

There are instructions as well, for LetsEncrypt on the ZNC page for those who aren’t running a web server (I am, so I didn’t need them) which outline how to get the certs without running your own hosting.


#7

For what it’s worth, the current dev version of ZNC supports having the certificate chain and the private key in two separate files - you’re also all forgetting the dhparam section to be appended to the znc.pem file (which is also configurable to be in a separate file in ZNC git)


#8

I have seen a private key leaked in this community, because it was attached to a certain PEM-file like this… I wouldn’t recommend it.


#9

The long term solution is of course to patch courier to accept separate files. But in the meantime some of us still have to create these all in one files.