Re: [exim] renewing the SSL certificate doesn't work
On Mon, Feb 27, 2023 at 10:21:56AM +, Gary Stainburn via Exim-users wrote: > generated-private-key.txt > > inflating: 27eff7f9e735cb3f.crt > inflating: 27eff7f9e735cb3f.pem > The exim.conf file includes > > tls_privatekey = /etc/pki/tls/certs/ringways.co.uk.key > tls_certificate = /etc/pki/tls/certs/exim.pem > > I copied generated-private-key.txt to /etc/pki/tls/certs/ringways.co.uk.key Correct. > I copied 27eff7f9e735cb3f.crt to /etc/pki/tls/certs/exim.pem I rather expect you should have copied the "27eff7f9e735cb3f.pem" file, not the ".crt" file, which is likely a binary "DER" file. To test whether the key is well-formed and matches the certificate: pkeyfile=/some/where/generated-private-key.txt certfile=/some/where/27eff7f9e735cb3f.pem openssl pkey -in "$pkeyfile" -pubout -outform DER | openssl dgst -sha256 -binary | xxd -p -c32 openssl x509 -in "$certfile" -noout -pubkey | openssl pkey -pubin -pubout -outform DER | openssl dgst -sha256 -binary | xxd -p -c32 Neither command should output any error messages, and the output of both should be the same (SHA256 fingerprint of the DER public key). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
Gary Stainburn via Exim-users (Mo 27 Feb 2023 11:21:56 CET): > > However, when I install the new files I get SSL errors. > > TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] > (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): > error:0906D06C:PEM routines:PEM_read_bio:no start line Try openssl rsa -in /etc/pki/tls/certs/ringways.co.uk.key -noout If should read the key, if it works, try the same as the Exim runtime user sudo -u $(exim -n -bP exim_user) openssl rsa -in /etc/pki/tls/certs/ringways.co.uk.key -noout both commands must not produce any error message, in fact, they must not produce any output. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
On 27/02/2023 11:15, Gary Stainburn via Exim-users wrote: I did suspect this, but the private key is in the correct format. Try running Exim with debug; does it give any further hint? Check the file ownership & permissions, also. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
Hi Jeremy, I did suspect this, but the private key is in the correct format. -BEGIN PRIVATE KEY- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfHGSy2Xa86a6u [24 extra lines] teQhR4s9S0uGkQ5UJMz51JY= -END PRIVATE KEY- Also, Carrying out the same process for the Apache server on my web server, using the same certificate, bundle, and private key has worked fine. Gary On 27/02/2023 10:52, Jeremy Harris via Exim-users wrote: On 27/02/2023 10:21, Gary Stainburn via Exim-users wrote: TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): error:0906D06C:PEM routines:PEM_read_bio:no start line I seem to remember in the past that I had to merge the certificate with the bundle, so I did that too, but I still get the above error. The error notes specifically the private-key file, so the bundle is not the issue. What does the file look like (do NOT post the whole thing publically!) ? The first couple of line should be, for the expected format, something like -BEGIN PRIVATE KEY- MIIEvAIBADANBgkqh... and there should be a line -END PRIVATE KEY- after the block of ascii-ized binary data. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
On 27/02/2023 10:21, Gary Stainburn via Exim-users wrote: TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): error:0906D06C:PEM routines:PEM_read_bio:no start line I seem to remember in the past that I had to merge the certificate with the bundle, so I did that too, but I still get the above error. The error notes specifically the private-key file, so the bundle is not the issue. What does the file look like (do NOT post the whole thing publically!) ? The first couple of line should be, for the expected format, something like -BEGIN PRIVATE KEY- MIIEvAIBADANBgkqh... and there should be a line -END PRIVATE KEY- after the block of ascii-ized binary data. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/