Re: [exim] Can't read SSL key/cert, how to debug?

Mon, 22 Dec 2014 03:18:03 -0800 

Am 21.12.2014 um 20:03 schrieb Evgeniy Berdnikov:

  The first step in debugging should be cleaning up the configuration.
  If you have doubts, separate your private key and certificates,
  placing them into different files.



Done that. Certificate with chain and key are now in two separate files. 
Same log output.



  Then, check permissions. In my nearest host with Ubuntu-12.04.5
  the /etc/ssl/private directory  can be read by root only.
  Are use sure the MAIN_HOST file is readable for Exim?


Yes, I am sure.


  Debug options should be *added* to others, for example, run exim as daemon:

  /usr/sbin/exim4 -bd -q1m -d-all+tls

  Then try to connect and look into the log.


Here's what I got:


 3654 Connection request from 2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb port 51260
 3654 1 SMTP accept process running
 3654 Listening...
 3658 Process 3658 is handling incoming connection from 
[2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb]
 3658 LOG: host_lookup_failed MAIN
 3658   no host name found for IP address 2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb
 3658 Process 3658 is ready for new message
 3658 initialising GnuTLS as a server
 3658 GnuTLS global init required.
 3658 initialising GnuTLS server session
 3658 Expanding various TLS configuration options for session credentials.
 3658 certificate file = /etc/ssl/private/xxxx.de
 3658 key file = /etc/ssl/private/xxxx.de
 3658 TLS: cert/key registered
 3658 TLS: tls_verify_certificates not set or empty, ignoring
 3658 Initialising GnuTLS server params.
 3658 Loading default hard-coded DH params
 3658 Loaded fixed standard D-H parameters
 3658 GnuTLS using default session cipher/priority "NORMAL"
 3658 TLS: a client certificate will not be requested.
 3658 Received TLS SNI "xxxx.de" (unused for certificate selection)
 3658 LOG: MAIN
 3658   TLS error on connection from 
([IPv6:2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb]) 
[2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb] (gnutls_handshake): Could not 
negotiate a supported cipher suite.
 3658 TLS failed to start
 3658 LOG: smtp_connection MAIN
 3658   SMTP connection from ([IPv6:2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb]) 
[2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb] closed by EOF
 3654 child 3658 ended: status=0x0
 3654   normal exit, 0
 3654 0 SMTP accept processes now running
 3654 Listening...



I understand it like the cert file could be read but anything else went 
wrong, but no details are shown about it.


--
Yves Goergen
http://unclassified.de
http://dev.unclassified.de

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to