The filename is correct and I even tried to give the same permissions as on /var/qmail/control/servercert.pem.
Yes, the PEM file contains both the certificate and unprotected private key. As I mentioned no problems with Courierssl. If I verify the PEM file with openssl I get this: # openssl verify /etc/ssl/private/www_mydomain_de.pem /etc/ssl/private/www_ mydomain _de.pem: /OU=Domain Control Validated/OU=PositiveSSL/CN=www. mydomain.de error 20 at 0 depth lookup:unable to get local issuer certificate Any ideas what's happening? Can it be that Spamdyke looks for certificate with common name equal one specified in /var/qmail/control/me (or other setting) and fails because it doesn't match? Alex From: [email protected] [mailto:[email protected]] On Behalf Of Sam Clippinger Sent: Freitag, 19. August 2011 18:11 To: spamdyke users Subject: Re: [spamdyke-users] Unable to load SSL/TLS certificate I don't think this is a problem with intermediate CAs, because spamdyke doesn't have to "trust" your certificate as long as it can match the public and private keys. This is why self-signed certificates work fine with spamdyke. The errors you're seeing are originating with OpenSSL and being reported by spamdyke. I can think of a number of things that might trigger this kind of error: Your certificate file is not present or misnamed (double-check for typos). Your certificate file is not accessible (permission problem). Your certificate file is corrupted or truncated. Your certificate file is not in PEM format. Your certificate file is only contains your public key; your private key is stored in another file. Your private key is password protected and spamdyke doesn't have the password. Can you use the "openssl" command line tool to inspect your certificate file? If "openssl" can read it, spamdyke should be able to. -- Sam Clippinger On Aug 15, 2011, at 2:39 PM, Alex S. wrote: Hello, I'm trying to setup a proper SSL certificate for TLS/SSL encryption with Spamduke 4.2.0. So I set it up in /etc/spamdyke.conf: tls-certificate-file=/etc/ssl/private/www_mydomain_de.pem The pem file contains both private key and certificate and already successfully used in CourierSSL. Spamdyke complains in the qmail logfile: 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to load SSL/TLS certificate from file: /etc/ssl/private/www_mydomain_de.pem : The operation failed due to an I/O error, Unexpected EOF found, error:0200100D:lib(2):func(1):reason(13), error:20074002:lib(32):func(116):reason(2), error:140DC002:lib(20):func(220):reason(2) 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: incorrect SSL/TLS private key password or SSL/TLS certificate/privatekey mismatch/etc/ssl/private/www_ mydomain _de.pem : A protocol or library failure occurred, error:140A80B1:lib(20):func(168):reason(177) 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to initialize SSL/TLS library What does it mean? Why can't the certificate be used by Spamdyke. The server is running Debian with openssl 0.9.8o-4squeeze1 installed. The default qmail certificate /var/qmail/control/servercert.pem can be used by Spamdyke without any errors. I already gave my pem file the reading permissions for vpopmail user which is running tcpserver that starts spamdyke. Can the problem be caused by the fact that my SSL certificate needs intermediate certificates to be assumed as trustful by clients. How can I tell the Spamdyke to use an intermediary ca-bundle file? (In CourierSSL it is done with TLS_TRUSTCERTS=/etc/ssl/private/www_mydomain_de.ca-bundle directive). Thanks Alex _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
