Re: [expert] Postfix & TLS ? certificate creation ...

Fri, 05 Sep 2003 02:38:31 -0700 

Hi Martin,

you could be right for the missing stuff. After recreating the certificate 
with the newhostreq method - the newreq.pem was a null-file, e.g. empty. 
After recreating it with the normal newreq options - it's OK now. Here it's 
content (start of the file):
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, ST=Neuchatel, L=Neuchatel, O=Solar System Servers, 
OU=Sun
Server, CN=Joerg Mertin/[EMAIL PROTECTED]
        Validity
            Not Before: Sep  5 09:15:56 2003 GMT
            Not After : Sep  4 09:15:56 2004 GMT
        Subject: C=DE, ST=Neuchatel, L=Neuchatel, O=Solar System Servers, 
OU=Sun
 Server, CN=Joerg Mertin/[EMAIL PROTECTED]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
..... etc ....


However - with all the hints I got so far - I'm still n ot able to get it to 
work - as you can see from the syslog output.
Sep  5 11:23:44 sun postfix/smtpd[29222]: starting TLS engine
Sep  5 11:23:44 sun postfix/smtpd[29222]: unable to get private key from 
'/etc/newreq.pem'
Sep  5 11:23:44 sun postfix/smtpd[29222]: 29222:error:0906406D:PEM 
routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
Sep  5 11:23:44 sun postfix/smtpd[29222]: 29222:error:0906A068:PEM 
routines:PEM_do_header:bad password read:pem_lib.c:399:
Sep  5 11:23:44 sun postfix/smtpd[29222]: 29222:error:140B0009:SSL 
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:707:
Sep  5 11:23:44 sun postfix/smtpd[29222]: TLS engine: cannot load RSA cert/key 
data
Sep  5 11:23:44 sun postfix/smtpd[29222]: connect from 
pandora.solsys.org[10.0.2.47]

Could anyone having TLS working be so kind and check the openssl rpm's 
installed on his system - look similar to mine ?
[EMAIL PROTECTED] etc]# rpm -qa | grep openssl
openssl-0.9.7a-1.1mdk
libopenssl0.9.7-devel-0.9.7a-1.1mdk
libopenssl0-0.9.6i-1.1mdk
libopenssl0.9.7-0.9.7a-1.1mdk


Thx & Cheers

        Joerg

On Friday 05 September 2003 07:24, Martin Fahrendorf wrote:
> Am Donnerstag, 4. September 2003 15:42 schrieb Joerg Mertin:
> > Hi Martin,
> >
> > thx for the hint. Done it the way you suggested and here is wat came out:
> > Sep  4 15:36:14 sun postfix/postfix-script: starting the Postfix mail
> > system Sep  4 15:36:14 sun postfix:  succeeded
> > Sep  4 15:36:14 sun postfix/master[31278]: daemon started -- version
> > 2.0.6 Sep  4 15:36:18 sun postfix/smtpd[31285]: starting TLS engine
> > Sep  4 15:36:18 sun postfix/smtpd[31285]: unable to get certificate from
> > '/etc/postfix/newcert.pem'
> > Sep  4 15:36:18 sun postfix/smtpd[31285]: 31285:error:0906D06C:PEM
> > routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFIC
> > ATE:
> > Sep  4 15:36:18 sun postfix/smtpd[31285]: 31285:error:140DC009:SSL
> > routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:765:
> > Sep  4 15:36:18 sun postfix/smtpd[31285]: TLS engine: cannot load RSA
> > cert/key data
> >
> > I did all the same steps - except replaced newreq with newhostreq.
> > No Difference... Failure again.
> >
> > Anyone got another idea ?
>
> Do your newcert file looks something like this?
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 33 (0x21)
>         Signature Algorithm: md5WithRSAEncryption
>         Issuer: C=DE, ST=Hessen, ...
> Authority/[EMAIL PROTECTED] Validity
>             Not Before: Jun 30 09:56:28 2003 GMT
>             Not After : Jun 29 09:56:28 2005 GMT
>
> The error message says something like 'Certificate: Text missing in File'
> (PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE:)
>
> BTW for testing reasons it is wise to disable the chroot stuff in postfix
> (in master.cf) smtpd reads the certificates before entering the chroot
> environment.
-- 
Death is life's way of telling you you've been fired.
                -- R. Geis
------------------------------------------------------------------------
| Joerg Mertin              :  [EMAIL PROTECTED]                (Home)|
| in Neuch�tel/Schweiz      :  [EMAIL PROTECTED]                  (Alt1)|
| Stardust's LiNUX System   :  [EMAIL PROTECTED]                (Alt2)|
| Web: http://www.solsys.org:  Voice & Fax: +41(0)32 / 725 52 54       |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to