I’m going to install a couple of services – SMTP (exim) and IMAP (dovecot) – and I want to share the SSL key and certificate between them. Having separate certificates for each is additional hassle when it comes to updating them.
Thus I’ve got a sslcerts.sls file to manage the certificate installation which I can share between exim.sls and dovecot.sls.
# SSL cert and key # Ensure the group ssl-cert exists ssl-cert: group.present: - system: True # Ensure that ssl-cert group has access to the directory /etc/ssl/private: file.directory: - user: root - group: ssl-cert - mode: '0750' # -rwxr-x--- # Manage the certificate /etc/ssl/certs/info.river-innovations.com.cert: file.managed: - source: salt://sslcerts/info.river-innovations.com.cert - user: root - group: root - mode: '0644' # rw-r--r-- # Manage the key /etc/ssl/private/info.river-innovations.com.key: file.managed: - source: salt://sslcerts/info.river-innovations.com.key - user: root - group: ssl-cert - mode: '0640' # rw-r-----
The key and certificate are placed into the /etc/ssl directory structure which is where Debian puts its own keys and certificates. I make sure that the keys can be accessed by members of the ssl-cert group. Certificates can be read by anyone.
This .sls file isn’t included directly in top.sls – instead it will be referenced from the exim.sls and dovecot.sls which need access to the certificates.