Adrian via Exim-users <exim-users@exim.org> (So 04 Jul 2021 22:48:08 CEST): > I'm setting up exim4 on a new server, to be as similar as possible to > an existing server where exim4 works well. Both are running Debian > buster with split config files. > > I'm getting the following error in the mainlog > TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] > (cert/key setup: > cert=/etc/letsencrypt/live/example.com/fullchain.pem > key=/etc/exim4/privkey.pem): Error while reading file.
First of all: make sure that the certificate matches the key:
Compare the modulus of they used for the cert with the modulus of the
key in your key file, do this as the Exim runtime user:
cd /
sudo -u Debian-exim openssl x509 -in
/etc/letsencrypt/live/example.com/fullchain.pem -noout -modulus
sudo -u Debian-exim openssl rsa -in /etc/exim4/privkey.pem -noout
-modulus
> The cert file path is a symlink to the actual file
> in /etc/letsencrypt which is world-readable.
>
> The key file is /etc/exim4/privkey.pem which is a COPY of the live
> one in /etc/letsencrypt. When the key is renewed by certbot a script
> recreates the copy in /etc/exim4 and runs the following script
>
> chgrp Debian-exim /etc/exim4/privkey.pem
> setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
> # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir
> systemctl restart dovecot
~~~~~~~
Why dovecot? If, then Exim. But Exim reads the cert *on demand*, each
time for each connection, so there is no need to restart-or-reload Exim
because of a certificate change. (Of course, as long as the path doesn't
change.)
> Is there a way to increase debug verbosity? E.g. so that exim4
> confirms which file it can't read, the cert or the key file.
You can start the daemon in the forground with TLS debugging, on a
"private" port (if TLS doesn't suffice, try -d+tls, and then -d+all
instead of -d-all+tls)
exim -d-all+tls -bdf -oX 2525
and then connect using a SSL client:
openssl s_client -connect localhost:2525 -starttls smtp <<<QUIT
> ..or anything else, even brief relaxation of permissions, that might
> help identify where the problem lies.
You can do chmod a+r on the key and the cert for testing purpose, Exim
doesn't check the permissions (and the SSL libraries don't check either,
I believe)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
