Univention Bugzilla – Full Text Bug Listing |
Summary: | Certificates for UCS-servers should also include alternative domains | ||
---|---|---|---|
Product: | UCS | Reporter: | Nico Stöckigt <stoeckigt> |
Component: | SSL | Assignee: | UCS maintainers <ucs-maintainers> |
Status: | RESOLVED DUPLICATE | QA Contact: | UCS maintainers <ucs-maintainers> |
Severity: | normal | ||
Priority: | P5 | CC: | hahn |
Version: | UCS 4.2 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017070721000574 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Nico Stöckigt
2017-07-07 21:36:16 CEST
(In reply to Nico Stöckigt from comment #0) > In some environments the server 'master.domain.local' is also available from > outside 'webmail.domain.outside' or 'umc.domain.outside'. The UCS certificate is only valid internally (as you can expect the world to import the self-generated UCS root certificate). As such you can install a second certificate for public facing services: ># ucr search ssl/certificate >apache2/ssl/certificate: <empty> > The absolute path to the SSL certificate file for mod_ssl. The certificate needs to be PEM-encoded. If the variable is unset, the certificate from the UCS CA is used (/etc/univention/ssl/FQDN/cert.pem). > >apache2/ssl/certificatechain: <empty> > The path to a file containing CA certificates. They are sent to the client browser of a user, so that a certificate for authentication the user can be selected, which is issued by one of the CAs. > >mail/postfix/ssl/certificate: <empty> > The full path name of the SSL certificate that is used by Postfix to establish SSL connections. If the variable is unset, the host certificate is used. If you need SAN you can always create your own 'request' file or use `UCRV ssl/host/extensions` *** This bug has been marked as a duplicate of bug 44469 *** |