MikeL's FreeBSD howto - Update SSL Certificate
[20240811]
Every year I go through a huge waste of time trying to figure out how to install my SSL certificate. I blunder around, and suddenly get it working, and I step back, sigh, and swear that next year I'll just get it right.

  1. Make new dir for this year.
    1. At NetSol download the "SSL package", not the latter the purports to be used for Apache.
    2. Unzip NetSol file.
    3. create a link to, or copy .key file from previous year into this dir. (Of course this assumes you did not make a new CSR and such, just renewing an existing cert. Otherwise, make sure the new signing key is in place here)

  2. If you omit the following ov_chain step, you'll get unable to get local issuer certificate error.
    1. cp SSL_WILDCARD_CerticateAuthorityRoot.crt ov_chain.crt
      edit ov_chain.crt
    2. add a trailing newline
    3. append SSL_WILDCARD_IntermediateCA_2.crt
    4. add a trailing newline
    5. append SSL_WILDCARD_IntermediateCA_3.crt
    6. add a trailing newline

  3. Edit /usr/local/etc/apache/Includes/httpd-ssl.conf
      Don't forget that there may be multiple blocks of these directives
    1. SSLCertificateFile set to full path to the new STAR.VINTNERS.NET.crt file
    2. SSLCACertificateChainFile set to full path to this ov_chain.crt
    3. SSLCACertificateFile set to full path to SSL_WILDCARD_CertificationAuthorityRoot.crt file

  4. Restart apache:
    apachectl restart

  5. Test Apache:
    1. In browser, visit said domain.
    2. Click on padlock icon.
    3. Click on "Connection Secure" item.
    4. Click on "More Information" item.
    5. This brings up a new window, click on "View Certificate" button.
    6. This brings up another window, check "Validity" section for new date.

  6. Edit /etc/mail/[systemname].mc
    Change CERT_DIR to proper year, everything else should just work from this if you haven't changed filenames since last time.
    And of course make .cf file, copy into place and restart sendmail.

  7. Test sendmail:
    1. send an email to that domain.
    2. check /var/log/maillog for errors.

  8. Update imap/pop3/lmtp:
    Edit /usr/local/etc/imapd:
    1. Fix tls_server_cert - should match sendmail confSERVER_CERT
    2. Fix tls_server_key - should match sendmail confSERVER_KEY
    3. Fix tls_server_ca_file - should match sendmail confCACERT
    4. Fix tls_server_ca_dir - should match sendmail CERT_DIR
    Note! Thunderbird simply showed no new email even though I know there's email. In order to localize the problem, I installed Thunderbird on a different system - there it worked just fine. I messed with my TB settings, deleted certs, etc. no dice. Finally, I simply "removed" that "account", and recreated it - all is well now.
Copyright © 1995-2024 Mike Lempriere (running on host bayanus)