Sendmailは歴史的理由と後方互換性の問題で証明書の扱い方がちょっと今風ではありません。
fullchain.pemを使用しても証明書を辿れない問題が発生し、openssl s_clientで見ると
Verify return code: 21 (unable to verify the first certificate)
というメッセージが表示されてしまいます。
従って、ルートCA証明書にchain.pemを追加することで証明書を辿れるようにします。
前提
- FreeBSD 13.5
- Sendmail 8.18
- Let’s Encryptによる証明書取得済み
- Ansible 2.18
Ansibleコード
roles/freebsd/tasks/sendmail.yaml
- name: Ensure certificate directory
file:
path: /etc/mail/certs
state: directory
owner: root
group: wheel
mode: "0755"
- name: Copy CA certificate
copy:
src: /etc/ssl/cert.pem
dest: /etc/mail/certs/cacert.pem
remote_src: true
owner: root
group: wheel
mode: "0644"
notify:
restart_sendmail
- name: Read Let's Encrypt chain.pem
slurp:
src: "/usr/local/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem"
register: le_chain
- name: Append chain.pem to cacert.pem
blockinfile:
path: /etc/mail/certs/cacert.pem
block: "{{ le_chain.content | b64decode }}"
marker: "# {mark} ANSIBLE MANAGED LETSENCRYPT CHAIN"
notify:
restart_sendmail
- name: Copy host certificate
copy:
src: /usr/local/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
dest: /etc/mail/certs/host.cert
remote_src: true
owner: root
group: wheel
mode: "0644"
notify:
restart_sendmail
- name: Copy host key
copy:
src: /usr/local/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
dest: /etc/mail/certs/host.key
remote_src: true
owner: root
group: wheel
mode: "0600"
notify:
restart_sendmail