Hi
>2019-01-06 16:21 skrev John Cox:
>> Hi
>>
>> I'm using OpenSMTPD 6.4.0
>>
>> I'm (at least) a little confused as to which sort of certs I should
>> put in the pki cert and ca conf file entries (I can cope with the key
>> entry!)
>>
>> I have an apparently functional ACME setup using the default
>> acme-client supplied with openbsd. This gives me 3 sorts of cert:
>>
>> 1) Bare cert
>> 2) Chain cert
>> 3) Full chain cert
>>
>> I have pki cert set to the bare cert, and ca set to the chain cert -
>> is that correct? or should I use the full chain cert for the pki cert?
>>
>> I ask because whilst the setup mostly morks I do get odd logging like
>> this:
>>
>> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
>> address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
>> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
>> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls
>> ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
>> Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate
>> verification succeeded on session 92975635cb3d86a4
>> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery
>> evpid=00fe7e3a0bda75cf from=
>> to= rcpt=
>> source="46.235.226.138" relay="212.54.58.11
>> (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0
>> MXIN650 mail accepted for delivery
>> ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;"
>> Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session
>> 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain
>> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
>> address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
>> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
>> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta
>> disconnected reason=quit messages=1
>>
>> Where I seems to succeed with tls and then it says that it has failed.
>> What is going on?
I know I put 2 questions in one message but does anyone have any idea
why I seem to both get a TLS success & a TLS failure here?
>>
>> Thanks
>>
>> John Cox
>
>You should use the full chain, so that any connecting computers can
>verify the full certificate chain. :)
>
>This is a snippet from my configuration:
>
>pki mx.helloworld.online cert
>"/etc/ssl/acme/mx.helloworld.online.fullchain.pem"
>pki mx.helloworld.online key
>"/etc/ssl/acme/private/mx.helloworld.online.key"
>
>Hope that helps in some way.
Thanks - I think I understand what is needed for verification to take
place, and as I am using a public CA to generate the certs. at least
in theory, the chain part should be well known and therefore not
needed or actually unwanted if the far end is going to verify the
cert. (Unless, of course, the CA has generated intermediate certs
between the well known root cert and my cert, in which case the chain
is required to bridge the gap.)
Fullchain shouldn't really be required unless you have a self-signed
thing or want to persuade the far end to add your root cert to its
cert stash. Nonetheless I equally understand that many
implementations want a full chain so it must be available.
The question is - how is the fullchain constructed - is it pki+ca or
just pki, and if the latter then what is the ca statement meant to do
for me?
Many thanks
John Cox
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
