A few months ago I configured Postfix on my CentOS 7.0 VPS to accept a TLS client certificate from my laptop, instead of a password. My client certificate was obtained from StartSSL, who have a rather convoluted process but seem to be the best value CA out there.
Last week CentOS 7.1 became available. I did a yum update, and rebooted, it all seemed to go without a hitch. Until I tried to send an email. My server was logging ‘certificate verification failed’.
After a bit of research, I figured that the problem might be with the StartSSL certificate chain. Time to figure out how to add it to the system. Turns out its fairly easy:
Step One: Fetch the startssl bundle and put it in the right directory
cd /etc/pki/ca-trust/source/anchors curl -o startssl-ca-bundle.pem http://www.startssl.com/certs/ca-bundle.pem
Step Two: Rebuid the trust database
Step Three: Restart Postfix
service postfix restart
And that takes care of that. I wish Postfix/OpenSSL had some better diagnostics when things go wrong, it would reduce the amount of guesswork required.
Some time ago I moved my virtual private server to a new provider. The old one was fine, but I wanted to play around with IPv6 and RamNode offered that. They were also able to host CentOS 7 which I was keen to familiarize myself with.
More recently they added a hosting site in my city, so I took them up on their offer to migrate my VPS. I was very impressed, it was about a 15 minute process and went flawlessly.
This site still sits behind CloudFlare, which has been doing a splendid job although there has not really been enough traffic to give it a decent test.
Its funny how, even after many years of working with Linux and other Unix-like systems, every now and then a little utility comes up that you never knew about.
blkid is one of those little utilities that is wonderfully
handy, and now I find myself using it all the time.