Hi >I see this in my logs a lot: > Dec 9 19:17:51 frisell smtpd[8813]: warn: unable to load CA file >/etc/ssl/cert.pem: No such file or directory > > >On my system (gentoo), /etc/ssl/ has a directory called certs which >has multiple pems. How to handle this?
I'm guessing slightly but, openssl has (at least) two schemes for handling certificate verification: bundles and directories with certificates (and hashes). A bundle, which is what I think opensmtpd wants, is simply all the certs that you want to treat as roots concatenated into one file. There is sometimes a size limit on what works for this. A directory, which is what sendmail seems to want, is a lot of files which each contains 1 cert with a file name derived from their hash value (or quite commonly sym links named after the hash value of the cert files they point to). I have some perl scripts that will take apart bundles and convert to the hash form, but not the other way round. If you want to check that your bundle or dir is working correctly then "openssl verify" is your friend (you will need to read the man page carefully). It is worth noting that from what I've read on this mailing list that pki example.net ca /etc/ssl/certs.pem is not the same thing as the sendmail define(`confCACERT', `CERT_DIR/local_certs/ca_example.net.crt') I believe that the pki line specifies a bundle to search for verification and I'm pretty sure that the sendmail line defines a cert (or small cert bundle) that is sent along with your local cert as a list of preferred ca's that the other end should use (and maybe can also show your chain of trust - I think this protocol element is often abused, misunderstood or ignored). TLS is the next thing I intend to play with in my opensmtpd setup and I haven't had actual experience of setting it up yet so the above should be taken with a pinch of salt. But I have made sendmails version work properly for me with both public root certs and locally generated certs at the same time so I have some background on what I'm expecting to happen. Wishlist -------- pki example.net cacert_path /etc/ssl/certs - equivalent to sendmail define(`confCACERT_PATH', `CERT_DIR/certs') also a source match on cert issuer and/or cert name like the sendmail access db line: CertIssuer:/C=GB/ST=England/L=Gotham/O=WayneEnterprises/OU=BatCave/CN=cave.net/[email protected] RELAY I use the above to give allow relaying from any site that connects via TLS with a cert that I have signed without the need for separate auth. It also allows me to verify the cert chains of random sites that are relaying mail to me without letting them relay onwards. Also CRL bundles or CRL dirs Thanks John Cox -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
