Jump to content
Froxlor Forum
  • 0

get froxlor:config-service to keep tls/ssl settings for services?


hk@
 Share

Question

Hi,
currently we use the froxlor-server-hostname generated lets-encrypt certificate also for services like proftpd, postfix and dovecot.

Additionally we check for refreshed certs and if new certs arrive we reload those services so they take up the new cert before the old one expires.

Now the froxlor:config-services option using froxlor-cli is a great tool to get thing fixed up - especially after major updates on the system-level.
Yet it creates a default-set for its certificates like ssl-cert-snakeoil.pem for postfix+dovecot and its very own proftp-cert.

For postfix+dovecot we migth workaround by using symlinks from snakeoil to the /etc/ssl/froxlor-custom/<server-hostname.crt> but proftp doesn't give us this easy way out.

So basically my question would be: How about a switch for the config-services script to keep current tls/ssl settings but replace the other config parts?
Or a way to specify one's own certificate-files for some/all services?

I believe this would make life a lot easier when going for new ubuntu/debian releases that basically require to re-create (or re-check) a lot of configs for froxlor.

thx
hk

Link to comment
Share on other sites

5 answers to this question

Recommended Posts

  • 0
7 minutes ago, hk@ said:

Now the froxlor:config-services option using froxlor-cli is a great tool to get thing fixed up - especially after major updates on the system-level.
Yet it creates a default-set for its certificates like ssl-cert-snakeoil.pem for postfix+dovecot and its very own proftp-cert.

that's because this is its purpose - its meant to configure the services for you (instead of the former copy'n'paste way...) - it's not meant to be run regulary or anything like that. It doesnt use "current certificates" froxlor generated ....that's not what this tool is there for.

Why would you RECONFIGURE your services to the default configs regularly? doesnt make sense tbh.

What you basically want is a cronjob that checks whether a certificate you are using in other services (postfix, dovecot, proftpd) got renewed and these services need to be restarted...

 

Link to comment
Share on other sites

  • 0
7 minutes ago, d00p said:

that's because this is its purpose - its meant to configure the services for you (instead of the former copy'n'paste way...) - it's not meant to be run regulary or anything like that. It doesnt use "current certificates" froxlor generated ....that's not what this tool is there for.

Why would you RECONFIGURE your services to the default configs regularly? doesnt make sense tbh.

What you basically want is a cronjob that checks whether a certificate you are using in other services (postfix, dovecot, proftpd) got renewed and these services need to be restarted...

 

this cronjob is already in place :)

I'm not talking about regularly, but for situations (like we experienced) when the current config isn't working anymore and we have to rebuild configs - ideally as fast as possible and using as little different steps. Also I was writing about major system-upgrades (like moving from Debian v10 to v11 or Unbuntu 18 to 20 or 22), it would simply ease these updates if some custom ssl/tls settings could be kept or injected. In the end I'm just looking for easier effortless upgrade-paths because systems get quite old quite fast otherwise ;)

Link to comment
Share on other sites

  • 0
9 minutes ago, d00p said:

it is not planned to have config-services "check" for customization in the files...there is no solid procedure to "merge" or combine without errors.

which is perfectly understood (yet dovecot and proftpd would seem easier, while postfix exposes its settings also);
anyway, injecting a path to key+cert+fullchain might seem more probable.

Link to comment
Share on other sites

  • 0

well not everyone just adjusts ssl-certificate paths...please understand that we cannot implement every use-case-specific feature - this is still open-source and in spare-time

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share



×
×
  • Create New...