Письмо #20435 Списка Рассылки CGatePro@list.communigate.ru
От Кого: Dmitry Akindinov dimak@communigate.ru <CGatePro@list.communigate.ru>
Кому: CommuniGate Pro Russian Discussions <CGatePro@list.communigate.ru>
Тема: Re: [CGP] Updating TLS keys and certificates securely.
Дата: Tue, 15 Jun 2021 11:34:45 +0300
Hello and welcome to the list.

On 2021-06-15 10:57 , Fred. Zwarts F.Zwarts@KVI.nl wrote:
Last week our TLS certificate expired. In addition for a new certificate a larger key-pair was needed. When we received the new certificate we tried to configure the new certificate using the secure port 9010. However, halfway the procedure, the old certificate disappeared and the new one was not yet present. So, we had to fall back to the insecure port 8010 to complete the configuration of the new certificate.
We are unhappy with this for two reasons, first because now there has been a short period in which the mail server was not accessible in a secure way and, second, because we are a bit worried to have to enter sensitive information (authentication) with a insecure connection.

Probably, we did not follow the right procedure. From the documentation it is not clear to us how we can keep using a secure connection when updating key-pairs and certificate. Is it possible to enter them in advance a specify a time when they will be activated? I hope someone can enlighten us about the correct procedure.

Yes, in the cases when both the private key and the certificate need to be changed, a domain in CGPro is left without matching key-certificate pair and without SSL/TLS access. We plan to support multiple certificates for a domain in future, but right now the built-in Test certificate should meet the purpose of a temporary certificate - just don't forget to switch to Test in PKI settings before changing the key and certificate. Though, there's a catch with the Test certificate: browsers do not trust it by default.

Also, if you have more than one domain on the server with TLS certs installed (even without an IP dedicated to those domains) then you can use those domains to access the administrative interface of other domains (it may be necessary to provide auth data with full admin account name that includes the correct domain).

You can also use CLI to set both the key and the cert in one request and we have a script for that: https://www.communigate.ru/pub/stuff/noarch/domcert-pwd.pl

Finally, regarding the access via the insecure port 8010: that should be limited to the local trusted network and the loopback address. You are supposed to have ssh access to the remotely running server anyway and ssh can be used to tunnel access to 127.0.0.1:8010 on the server. This is always nice to have. BTW, the HTTPA sochet on 127.0.0.1 may be marked as having "External" SSL/TLS support, so connections through it are always considered secure.

A short digest in Russian:

Вопрос о том, как правильно сменить в домене ключ и сертификат TLS одновременно: поскольку это нельзя сейчас сделать через WebAdmin в одно действие, домен остаётся без пары ключ-сертификат и есть риск потерять безопасный доступ в WebAdmin посреди операции.
Возможных решений несколько: использование встроенного тестового сертификата, использование других доменов с установленными сертификатами для доступа в WebAdmin, использование CLI скрипта для смены ключа и сертификата в одно действие, использование ssh туннелирования до нешифрованного порта WebAdmin.

--
Best regards,
Dmitry Akindinov
Подписаться (Прямо) Подписаться (Дайджест) Подписаться (Оглавление) Отписаться Написать Listmaster-у