Re: [exim] Error while reading cert or key file
Heiko Schlittermann wrote >> systemctl restart dovecot >Why dovecot? I don't remember why, it was a while ago. Maybe unnecessary. I did know that exim4 re-reads the file and a restart wasn't needed for it. The modulos match as root. But I realised it was important to do it as Debian-exim. I don't have sudo installed but used su -s /bin/bash Debian-exim. (Thanks for listing the exact commands BTW). And the error was fairly obvious. I couldn't read the cert file or the symlink to it. /etc/letsencrypt and its subdirectories live and archive were group executable (750), but the group was root. Changing the group to Debian-exim fixed the problem. The private keys are still (700 root:root) so I trust this hasn't reduced security. Thanks Heiko! Adrian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
On Sun, 04 Jul 2021 23:03:47 + u...@net9.ga wrote: >lsattr - list file attributes on a Linux second > extended file system > > I doubt this is the problem, but I have nothing better to offer. Thanks u34 No it doesn't seem related. Lsattr's output for the key and for the target of the cert symlink are --e on the working system and the new one. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
Adrian via Exim-users (So 04 Jul 2021 22:48:08 CEST):
> I'm setting up exim4 on a new server, to be as similar as possible to
> an existing server where exim4 works well. Both are running Debian
> buster with split config files.
>
> I'm getting the following error in the mainlog
> TLS error on connection from email-test.had.dnsops.gov [129.6.100.206]
> (cert/key setup:
> cert=/etc/letsencrypt/live/example.com/fullchain.pem
> key=/etc/exim4/privkey.pem): Error while reading file.
First of all: make sure that the certificate matches the key:
Compare the modulus of they used for the cert with the modulus of the
key in your key file, do this as the Exim runtime user:
cd /
sudo -u Debian-exim openssl x509 -in
/etc/letsencrypt/live/example.com/fullchain.pem -noout -modulus
sudo -u Debian-exim openssl rsa -in /etc/exim4/privkey.pem -noout
-modulus
> The cert file path is a symlink to the actual file
> in /etc/letsencrypt which is world-readable.
>
> The key file is /etc/exim4/privkey.pem which is a COPY of the live
> one in /etc/letsencrypt. When the key is renewed by certbot a script
> recreates the copy in /etc/exim4 and runs the following script
>
> chgrp Debian-exim /etc/exim4/privkey.pem
> setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
> # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir
> systemctl restart dovecot
~~~
Why dovecot? If, then Exim. But Exim reads the cert *on demand*, each
time for each connection, so there is no need to restart-or-reload Exim
because of a certificate change. (Of course, as long as the path doesn't
change.)
> Is there a way to increase debug verbosity? E.g. so that exim4
> confirms which file it can't read, the cert or the key file.
You can start the daemon in the forground with TLS debugging, on a
"private" port (if TLS doesn't suffice, try -d+tls, and then -d+all
instead of -d-all+tls)
exim -d-all+tls -bdf -oX 2525
and then connect using a SSL client:
openssl s_client -connect localhost:2525 -starttls smtp << ..or anything else, even brief relaxation of permissions, that might
> help identify where the problem lies.
You can do chmod a+r on the key and the cert for testing purpose, Exim
doesn't check the permissions (and the SSL libraries don't check either,
I believe)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
Adrian via Exim-users wrote: > I'm setting up exim4 on a new server, to be as similar as possible to > an existing server where exim4 works well. Both are running Debian > buster with split config files. > > I'm getting the following error in the mainlog > TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] > (cert/key setup: > cert=/etc/letsencrypt/live/example.com/fullchain.pem > key=/etc/exim4/privkey.pem): Error while reading file. > > The cert file path is a symlink to the actual file > in /etc/letsencrypt which is world-readable. > > The key file is /etc/exim4/privkey.pem which is a COPY of the live > one in /etc/letsencrypt. When the key is renewed by certbot a script > recreates the copy in /etc/exim4 and runs the following script > > chgrp Debian-exim /etc/exim4/privkey.pem > setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem > # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir > systemctl restart dovecot > > This is the output of getfacl and ls -l and is the same for the existing > and the new server. > > getfacl privkey.pem > # file: privkey.pem > # owner: root > # group: Debian-exim > user::rw- > group::r-- > group:Debian-exim:r-- > mask::r-- > other::--- > > ls -l privkey.pem > -rw-r-+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem > > The existing server works, the new server can't do TLS and reports > 'Error while reading file'. > > Exim4 is running as user Debian-Exim. I've tried setting initgroups = > true. > > Is there a way to increase debug verbosity? E.g. so that exim4 > confirms which file it can't read, the cert or the key file. > > ..or anything else, even brief relaxation of permissions, that might > help identify where the problem lies. > > I have to confess now that I don't generally understand the answers > here. Please would you explain in terms that tell me the commands > to issue, and what to add or change in which files. Thanks! > lsattr - list file attributes on a Linux second extended file system I doubt this is the problem, but I have nothing better to offer. -- u34 > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Error while reading cert or key file
I'm setting up exim4 on a new server, to be as similar as possible to an existing server where exim4 works well. Both are running Debian buster with split config files. I'm getting the following error in the mainlog TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] (cert/key setup: cert=/etc/letsencrypt/live/example.com/fullchain.pem key=/etc/exim4/privkey.pem): Error while reading file. The cert file path is a symlink to the actual file in /etc/letsencrypt which is world-readable. The key file is /etc/exim4/privkey.pem which is a COPY of the live one in /etc/letsencrypt. When the key is renewed by certbot a script recreates the copy in /etc/exim4 and runs the following script chgrp Debian-exim /etc/exim4/privkey.pem setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir systemctl restart dovecot This is the output of getfacl and ls -l and is the same for the existing and the new server. getfacl privkey.pem # file: privkey.pem # owner: root # group: Debian-exim user::rw- group::r-- group:Debian-exim:r-- mask::r-- other::--- ls -l privkey.pem -rw-r-+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem The existing server works, the new server can't do TLS and reports 'Error while reading file'. Exim4 is running as user Debian-Exim. I've tried setting initgroups = true. Is there a way to increase debug verbosity? E.g. so that exim4 confirms which file it can't read, the cert or the key file. ..or anything else, even brief relaxation of permissions, that might help identify where the problem lies. I have to confess now that I don't generally understand the answers here. Please would you explain in terms that tell me the commands to issue, and what to add or change in which files. Thanks! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
