From 8d7abb4f0c3485eb4e18e9d32a5165e0d4916b52 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Wed, 6 Apr 2016 18:00:23 +0200
Subject: [PATCH] Fix certificate/CA handling.

---
 roles/certmgr/templates/acme.conf.j2       | 1 +
 roles/mail/templates/certs.j2              | 8 ++++----
 roles/mail/templates/dovecot/local.conf.j2 | 2 +-
 roles/mail/templates/mailman/certs.j2      | 6 +++---
 roles/mail/templates/postfix/main.cf.j2    | 2 +-
 5 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/roles/certmgr/templates/acme.conf.j2 b/roles/certmgr/templates/acme.conf.j2
index 511dde1..c0488bb 100644
--- a/roles/certmgr/templates/acme.conf.j2
+++ b/roles/certmgr/templates/acme.conf.j2
@@ -6,3 +6,4 @@ ttl_days: 30
 authority: "https://acme-v01.api.letsencrypt.org"
 
 defaults:
+  cafile: /etc/acme/lets-encrypt-x3-cross-signed.pem
diff --git a/roles/mail/templates/certs.j2 b/roles/mail/templates/certs.j2
index f0156ad..4b21196 100644
--- a/roles/mail/templates/certs.j2
+++ b/roles/mail/templates/certs.j2
@@ -6,22 +6,22 @@
   group: postfix
   perm: '400'
   format: crt
-  notify: 'service postfix reload'
+  notify: 'service postfix restart'
 - path: /etc/postfix/ssl/{{ mail_server }}.key
   user: postfix
   group: postfix
   perm: '400'
   format: key
-  notify: 'service postfix reload'
+  notify: 'service postfix restart'
 - path: /etc/dovecot/ssl/{{ mail_server }}.crt
   user: dovecot
   group: dovecot
   perm: '400'
   format: crt
-  notify: 'service dovecot reload'
+  notify: 'service dovecot restart'
 - path: /etc/dovecot/ssl/{{ mail_server }}.key
   user: dovecot
   group: dovecot
   perm: '400'
   format: key
-  notify: 'service dovecot reload'
+  notify: 'service dovecot restart'
diff --git a/roles/mail/templates/dovecot/local.conf.j2 b/roles/mail/templates/dovecot/local.conf.j2
index 0460c79..8b119f5 100644
--- a/roles/mail/templates/dovecot/local.conf.j2
+++ b/roles/mail/templates/dovecot/local.conf.j2
@@ -18,7 +18,7 @@ mail_gid = vmail
 ssl = yes
 ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
 ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
-#ssl_ca = TODO
+ssl_ca = </etc/acme/lets-encrypt-x3-cross-signed.pem
 ssl_protocols = !SSLv2 !SSLv3
 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
diff --git a/roles/mail/templates/mailman/certs.j2 b/roles/mail/templates/mailman/certs.j2
index 532328a..c80c1d7 100644
--- a/roles/mail/templates/mailman/certs.j2
+++ b/roles/mail/templates/mailman/certs.j2
@@ -5,11 +5,11 @@
   user: nginx
   group: nginx
   perm: '400'
-  format: crt
-  notify: 'service nginx reload'
+  format: crt,ca
+  notify: 'service nginx restart'
 - path: /etc/nginx/ssl/{{ mailman_domain }}.key
   user: nginx
   group: nginx
   perm: '400'
   format: key
-  notify: 'service nginx reload'
+  notify: 'service nginx restart'
diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2
index 85b45d9..3efc3ce 100644
--- a/roles/mail/templates/postfix/main.cf.j2
+++ b/roles/mail/templates/postfix/main.cf.j2
@@ -32,7 +32,7 @@ smtp_tls_loglevel = 2
 
 smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
 smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
-#smtpd_tls_CAfile=TODO
+smtpd_tls_CAfile=/etc/acme/lets-encrypt-x3-cross-signed.pem
 smtpd_use_tls=yes
 
 smtpd_tls_ciphers = medium