Adrian via Exim-users <exim-users@exim.org> (So 04 Jul 2021 22:48:08 CEST): > I'm setting up exim4 on a new server, to be as similar as possible to > an existing server where exim4 works well. Both are running Debian > buster with split config files. > > I'm getting the following error in the mainlog > TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] > (cert/key setup: > cert=/etc/letsencrypt/live/example.com/fullchain.pem > key=/etc/exim4/privkey.pem): Error while reading file.
First of all: make sure that the certificate matches the key: Compare the modulus of they used for the cert with the modulus of the key in your key file, do this as the Exim runtime user: cd / sudo -u Debian-exim openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -noout -modulus sudo -u Debian-exim openssl rsa -in /etc/exim4/privkey.pem -noout -modulus > The cert file path is a symlink to the actual file > in /etc/letsencrypt which is world-readable. > > The key file is /etc/exim4/privkey.pem which is a COPY of the live > one in /etc/letsencrypt. When the key is renewed by certbot a script > recreates the copy in /etc/exim4 and runs the following script > > chgrp Debian-exim /etc/exim4/privkey.pem > setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem > # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir > systemctl restart dovecot ~~~~~~~ Why dovecot? If, then Exim. But Exim reads the cert *on demand*, each time for each connection, so there is no need to restart-or-reload Exim because of a certificate change. (Of course, as long as the path doesn't change.) > Is there a way to increase debug verbosity? E.g. so that exim4 > confirms which file it can't read, the cert or the key file. You can start the daemon in the forground with TLS debugging, on a "private" port (if TLS doesn't suffice, try -d+tls, and then -d+all instead of -d-all+tls) exim -d-all+tls -bdf -oX 2525 and then connect using a SSL client: openssl s_client -connect localhost:2525 -starttls smtp <<<QUIT > ..or anything else, even brief relaxation of permissions, that might > help identify where the problem lies. You can do chmod a+r on the key and the cert for testing purpose, Exim doesn't check the permissions (and the SSL libraries don't check either, I believe) Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/