Why are there so many pem files in my /etc/ssl/certs directory

I'm trying to get an understanding of certficates so the first thing I did was look in my /etc/ssl/certs folder and I see there's a lot of pem files that I don't remember creating or downloading If theyre on my server does that mean I must have had them issued and downloaded them? Additionally there's a lot of .0 files I don't know what those are

Those sound like the system trusted CA certificates (things like the root certificate for ISRG Root X1, DigiCert etc), depending on your system this is often updated using the ca-certificates OS package. These are used for your system to make trusted connections to other systems (like the OS updates repository).

Your actual website ssl certificates are normally under /etc/letsencrypt/live/

1 Like

For my mail server I need 3 files certificate, ca-bundle and private key How do I get these? On my web server I use certbot -certonly --manual

You can use certbot on your mailserver using the standalone option, if port 80 is open (it will spin up it's own challenge response service on port 80), alternatively use a DNS validation option.

Going to be listening on 993 for imap and sending via port 25 smtp, I don't know why you mention port 80

Requesting a certificate from Let's Encrypt requires that you validate your control of your domain.

This can be either:

  • HTTP validation (your server responds to a special request on port 80 )
  • DNS validation (you update a special TXT record in your domains DNS)

You asked how you could get your certificate files but you seem to know what certbot is, so I was assuming you knew this already. It doesn't matter whether you want a cert for a mail server, ftp server, etc, you have to perform domain validation somehow. HTTP validation is usually easier.

1 Like

Thanks Only get a cert for domain or for host.domain? My mail server's hostname includes the host and domain, not just the domain
So I have four files from letsencrypt cert.pem, chain.pem, fullchain.pem, privkey.pem where postfix only wants two I used cert.pem for smtpd_tls_cert_file and privkey.pem for smtpd_key_file but I see the docs say I can concatenate some of them out to a new file and upload the new file in substitution Can you please tell me what I should do?

1 Like

then use use fullchain.pem for certificate and privkey.pem for key

1 Like

Your certificate will need to include the fully qualified host name e.g. mail.yourdomain.com and you still need to perform "domain validation" even if your identifier represents a hostname (not a subdomain).

1 Like

Can I have the cert issued for *.domain and domain? That's how I use certbot for all my sites to save typing even if they don't use sub domains

you can, but wildcard cert needs DNS auth so you need to have automated way to update your DNS record.

1 Like

funny you should mention it because nsd doesn't start

I never considered that but if it's related all my domains use dynamic dns

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.