I don't think this is a problem with intermediate CAs, because spamdyke doesn't
have to "trust" your certificate as long as it can match the public and private
keys. This is why self-signed certificates work fine with spamdyke.
The errors you're seeing are originating with OpenSSL and being reported by
spamdyke. I can think of a number of things that might trigger this kind of
error:
Your certificate file is not present or misnamed (double-check for
typos).
Your certificate file is not accessible (permission problem).
Your certificate file is corrupted or truncated.
Your certificate file is not in PEM format.
Your certificate file is only contains your public key; your private
key is stored in another file.
Your private key is password protected and spamdyke doesn't have the
password.
Can you use the "openssl" command line tool to inspect your certificate file?
If "openssl" can read it, spamdyke should be able to.
-- Sam Clippinger
On Aug 15, 2011, at 2:39 PM, Alex S. wrote:
> Hello,
>
> I‘m trying to setup a proper SSL certificate for TLS/SSL encryption with
> Spamduke 4.2.0. So I set it up in /etc/spamdyke.conf:
>
> tls-certificate-file=/etc/ssl/private/www_mydomain_de.pem
>
> The pem file contains both private key and certificate and already
> successfully used in CourierSSL.
>
> Spamdyke complains in the qmail logfile:
>
> 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to load SSL/TLS
> certificate from file: /etc/ssl/private/www_mydomain_de.pem : The operation
> failed due to an I/O error, Unexpected EOF found,
> error:0200100D:lib(2):func(1):reason(13),
> error:20074002:lib(32):func(116):reason(2),
> error:140DC002:lib(20):func(220):reason(2)
> 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: incorrect SSL/TLS
> private key password or SSL/TLS certificate/privatekey
> mismatch/etc/ssl/private/www_ mydomain _de.pem : A protocol or library
> failure occurred, error:140A80B1:lib(20):func(168):reason(177)
> 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to initialize
> SSL/TLS library
>
> What does it mean? Why can’t the certificate be used by Spamdyke. The server
> is running Debian with openssl 0.9.8o-4squeeze1 installed.
>
> The default qmail certificate /var/qmail/control/servercert.pem can be used
> by Spamdyke without any errors.
>
> I already gave my pem file the reading permissions for vpopmail user which is
> running tcpserver that starts spamdyke.
>
> Can the problem be caused by the fact that my SSL certificate needs
> intermediate certificates to be assumed as trustful by clients. How can I
> tell the Spamdyke to use an intermediary ca-bundle file? (In CourierSSL it is
> done with TLS_TRUSTCERTS=/etc/ssl/private/www_mydomain_de.ca-bundle
> directive).
>
> Thanks Alex
>
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
