Re: [Assp-user] Problems getting TLS working

Thomas Eckardt Thu, 28 Dec 2017 05:28:33 -0800

If you get those errors at startup - there is something wrong with the 
files.
I also use letsencrypt for a week now without any problems (switched from 
StartSSL.com).


btw: check that the root cert

CN = DST Root CA X3
O = Digital Signature Trust Co.

is trusted by the system. I've also added it to the assp.cfg as SSLCaFile 
- but assp works without configuring it this way.

https://www.identrust.com/certificates/trustid/root-download-x3.html

>Do I need to manually change the order in the config file?

no - at startup the order is ignored.

Thomas





Von:    "Mark D Montgomery II" <techi...@techiem2.net>
An:     "For Users of ASSP" <assp-user@lists.sourceforge.net>
Datum:  27.12.2017 12:34
Betreff:        Re: [Assp-user] Problems getting TLS working



I just shut it down and started it back up and it gives the same error 
when initializing the listen ports.

Do I need to manually change the order in the config file?

Thanks!

Mark II

----- Message from Thomas Eckardt <thomas.ecka...@thockar.com> ---------
     Date: Wed, 27 Dec 2017 08:48:27 +0100
     From: Thomas Eckardt <thomas.ecka...@thockar.com>
Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
  Subject: Re: [Assp-user] Problems getting TLS working
       To: For Users of ASSP <assp-user@lists.sourceforge.net>


> I'm sorry - this unexpected behavior is caused by a wrong configuration
> order in the WEB-GUI.
>
> currently this is:
>
> SSL Certificate File (PEM format) (SSLCertFile)
> SSL Key File (PEM format) (SSLKeyFile)
> SSL Private Key Password (SSLPKPassword)
> SSL Certificate Authority File (SSLCaFile)
>
> If all these parameters are changed to a new set in one step - you'see 
the
> the same behavior like in your case.
>
> All changes in the GUI are processed sequentel (each after the other).
>
> SSLCertFile - fails , because the old key file is still in use
> SSLKeyFile - fails possibly, because the old password is still in use
>
> So simply ignore the errors in the log and restart assp and everything 
is
> fine.
>
> I'll change the processing order to:
>
> SSL Private Key Password (SSLPKPassword)
> SSL Key File (PEM format) (SSLKeyFile)
> SSL Certificate Authority File (SSLCaFile)
> SSL Certificate File (PEM format) (SSLCertFile)
>
> to prevent this bad behavior in future. In case all parameters are 
changed
> in one step, the same error will be seen in the log after SSLPKPassword
> (old key not readable), SSLKeyFile(cert is invalid) - but after
> SSLCertFile is changed, everything is fine.
>
> Thomas
>
>
>
>
> Von:    "Mark D Montgomery II" <techi...@techiem2.net>
> An:     "For Users of ASSP" <assp-user@lists.sourceforge.net>
> Datum:  27.12.2017 01:55
> Betreff:        Re: [Assp-user] Problems getting TLS working
>
>
>
> I'm also using the same cert set for postfix itself, and it seems just
> fine with it.
>
>
> ----- Message from Mark D Montgomery II <techi...@techiem2.net> 
---------
>      Date: Wed, 27 Dec 2017 00:26:33 +0000
>      From: Mark D Montgomery II <techi...@techiem2.net>
> Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
>   Subject: Re: [Assp-user] Problems getting TLS working
>        To: For Users of ASSP <assp-user@lists.sourceforge.net>
>
>
>> Ok, so it SHOULD work.
>>
>> In SSL Proxy and TLS Settings:
>> DoTLS: do TLS
>>
>> SSLCertFile: /etc/ssl/froxlor-custom/mydomain_chain.pem
>> SSLKeyFile: /etc/ssl/froxlor-custom/mydomain.key
>> SSLCAFile: /etc/ssl/froxlor-custom/mydomain_CA.pem
>>
>> banFailedSSLIP is disabled, everything else is blank or default.
>>
>> I turned up SSL Debug logging to 3 and restarted:
>>
>> Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
>> Failed to load key from file (no PEM or DER)
>> SSL error: 24545: 1 - error:0D08303A:asn1 encoding
>> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>> SSL error: 24545: 2 - error:0D0680A8:asn1 encoding
>> routines:ASN1_CHECK_TLEN:wrong tag
>> SSL error: 24545: 3 - error:0D07803A:asn1 encoding
>> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>> SSL error: 24545: 4 - error:04093004:rsa
> routines:OLD_RSA_PRIV_DECODE:RSA lib
>> SSL error: 24545: 5 - error:0D0680A8:asn1 encoding
>> routines:ASN1_CHECK_TLEN:wrong tag
>> SSL error: 24545: 6 - error:0D07803A:asn1 encoding
>> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>> SSL error: 24545: 7 - error:140B000D:SSL
>> routines:SSL_CTX_use_PrivateKey_file:ASN1 lib
>> Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
>> global error: Failed to load key from file (no PEM or DER)
>> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
>> Dec-26-17 19:21:34 [init] Error: unable to create IPv4 socket to
>> 0.0.0.0:1465 - Failed to load key from file (no PEM or DER)
>> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
>> Dec-26-17 19:21:34 [init] Error: couldn't create server SSL-socket
>> on port '1465' -- maybe another service uses this listener or I'm
>> not root (uid=0)? -- or a wrong IP address is defined? --
>> Inappropriate ioctl for device
>>
>>
>>
>>
>> ----- Message from Doug Lytle <supp...@drdos.info> ---------
>>     Date: Tue, 26 Dec 2017 18:12:47 -0500
>>     From: Doug Lytle <supp...@drdos.info>
>> Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
>>  Subject: Re: [Assp-user] Problems getting TLS working
>>       To: assp-user@lists.sourceforge.net
>>
>>
>>> On 12/26/2017 05:29 PM, Mark D Montgomery II wrote:
>>>> I've added the paths to the chain, ca, and key files, but ASSP
>>>> won't accept the key file.
>>>
>>> Mark,
>>>
>>> I've got my ASSP setup with LetsEncrypt as well and it's working fine.
>>>
>>> My chain is the fullchain.&nbsp; Along with my cert and key.
>>>
>>>
>>>
>>> Doug
>>>
>>>
> 
------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Assp-user mailing list
>>> Assp-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>
>>
>> ----- End message from Doug Lytle <supp...@drdos.info> -----
>>
>>
>>
>> --
>> Mark D Montgomery II
>> techi...@techiem2.net
>> https://www.techiem2.net
>>
>>
>>
> 
------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-user mailing list
>> Assp-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
> ----- End message from Mark D Montgomery II <techi...@techiem2.net> 
-----
>
>
>
> --
> Mark D Montgomery II
> techi...@techiem2.net
> https://www.techiem2.net
>
>
> 
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, 
legally
> privileged and protected in law and are intended solely for the use of 
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************


----- End message from Thomas Eckardt <thomas.ecka...@thockar.com> -----



-- 
Mark D Montgomery II
techi...@techiem2.net
https://www.techiem2.net


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user







DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] Problems getting TLS working

Reply via email to