No issue with the search path or chmod. Like mentioned the CA chain certificate has the same mask as the PKI certificates which are also in the same directory. Tearing down does not solve it and the issue remains even the simplest set.
I suspect it rather being an EC key issue which the CA root chain and its certificate signing request generated from a private EC key whilst the PKI certificates signing request are private RSA key based. Since OpenSMTPD being a portable app I would reckon that it relies solely on its own (RSA) crypto engine, that has no support for EC keys, rather than having the OpenSSL API [ SSL_CTX_set1_groups_list ] call implemented for supporting EC keys? The thing is that the entire CA is standardized on EC [ brainpoolP512r1 ] keys and I cannot escape from that standard, at least not for CA root chain. > The cert should be chmod 600 owned by root. I've had issues where the search > path was the cause so make sure /etc/pki/certs can be read by root also. You > have a lot going on. I would suggest tearing it down to the bare essentials > and add pieces one at a time so you are only debugging one issue at a time. > It could also be the cert is just made wrong. What were your steps to make it? > On Jul 30, 2018 12:11 PM, ѽ҉ᶬḳ℠ <[email protected]> wrote: >> >>>> Getting this error and not sure what to make of that error code 0B084002: >>>> >>>> warn: unable to load CA file /etc/pki/certs/ca-chain.cert.pem: >>>> Permission denied >>>> debug: lka: X509 verify: error:0B084002:x509 certificate >>>> routines:X509_load_cert_crl_file:system lib >>>> smtp-out: Server certificate verification failed on session >>>> 21fb77fa13301003 >>>> >>>> The file has the same permission as the PKI certificates (and PEM >>>> format) but for which no such error is exhibited. >>>> >>>> # file: etc/pki/certs/ca-chain.cert.pem >>>> # owner: root >>>> # group: root >>>> user::r-- >>>> group::--- >>>> other::r-- >>>> >>>> >>>> This is on Archlinux kernel 4.17.9 and its repo package opensmtpd 6.0.3p1-2 >>>> >>> The config you posted previously didn't show any of the tls information >>> needed to assist you. >> That is config: >> >> ca mail certificate '/etc/pki/certs/ca-chain.cert.pem' >> pki mail key '/etc/pki/private/RSA_smtp_lan_server_vtol.km.key.pem' >> pki mail certificate '/etc/pki/certs/RSA_smtp_lan_server_vtol.km.cert.pem' >> ca server.foo.bar certificate '/etc/pki/certs/ca-chain.cert.pem' >> pki server.foo.bar key >> '/etc/pki/private/RSA_smtp_wan_server_vtol.km.key.pem' >> pki server.foo.bar certificate >> '/etc/pki/certs/RSA_smtp_wan_server_vtol.km.cert.pem' >> >> listen on lo inet4 port 25 tls hostname mail mask-source tag lo >> listen on lo inet4 port 587 smtps hostname mail mask-source tag lo >> listen on eth0 inet4 port 25 tls-require hostname mail mask-source tag lan >> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan >> listen on lo port 10028 mask-source tag DKIM >> # listen on eth0 inet4 port 40025 tls-require hostname server.foo.bar >> tag wan >> # listen on eth0 inet4 port 40587 smtps hostname server.foo.bar tag wan >> >> accept for local alias <aliases> deliver to lmtp "/var/run/dovecot/lmtp" >> accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 >> accept for any relay hostname server.foo.bar tls verify >> accept from local for any relay >> accept from source 172.25.120.2 for any relay >> accept from any for domain "foo.bar" alias <aliases> deliver to maildir >> "~/Maildir" >> >> limit mta inet4 >> max-message-size 5M >> expire 10m >> bounce-warn 1m, 10m, 1h, 2h >> queue encryption key [ obfuscted ] >> queue compression >> ciphers >> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 >> >> >> >> >> >> >> >> -- >> You received this mail because you are subscribed to [email protected] >> To unsubscribe, send a mail to: [email protected] >> > b��yǢ��m�+&j)[yƮ�쨹���r��y�h�+ ����kiv��N�����r��zǧu���[h�+ ��칻 �&ޢ���kiv�� -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
