Hi, Adrian Zaugg via Exim-users <exim-users@exim.org> (Fr 01 Jun 2018 02:05:04 CEST): > > I try to set tls_certificate and tls_privatekey in remote smtp transport > in order to instruct exim to present a client certificate on a > connection made to another server. I get an error saying: > > 2018-06-01 00:22:34 1fOVxp-0005XP-S0 TLS error on connection to > ts6.checktls.com [104.131.23.181] (cert/key setup: > cert=/etc/ssl/letsencrypt/ente.limmat.ch/fullchain.pem > key=/etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem): Error while > reading file. … > I tried as user Debian-exim to cat both files which worked. I tried to
Did you try to cat the full path with a working directory '/': cd / sudo -u Debian-exim cat /etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem ? I guess, you've restrictions on some directory down to the file Exim needs to read. All dirs need to have at least x-Permissions for the Exim runtime user (Debian-exim in your case). > reference a copy in /etc/exim4 which made the error go away, but remote > servers do not get to see my client cert – at least this is what > checktls.com Test Sender TLS reports: … We are at 4.91, I'm not sure, if Devuan does backport the security fixes. Please check. > > What am I missing? The certificate/key you use as a server are configured in the main options tls_certificate and tls_privatekey. These options _do not apply_ to the transport, where Exim acts as a client. To have Exim use a cert as a client, you need to set the transport options (having the same name). begin transpors remote_smtp: driver = smtp tls_certificate = … tls_privatekey = … PS: I do not know if and how your ACME client supports "hooks", actions that are executed after getting a fresh certificate. I use "dehydrated" as ACME client and do the following: [once at setup] mkdir /var/lib/exim4 touch /var/lib/exim4/ssl.pem chown Debian-exim: /var/lib/exim4/ssl.pem [hook, executed after getting the cert] cat privkey.pem fullchain.pem > /var/lib/exim4/ssl.pem Yes, just into one file. Read the doc about tls_certificate and tls_privatekey, the latter doesn't need to be set if the file referenced by tls_certificate contains the key and the cert. (order does not matter). And, no need to restart/reload Exim, as the certs are accessed on demand. HTH. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/