Re: [spamdyke-users] Unable to load SSL/TLS certificate

Fri, 19 Aug 2011 15:34:15 -0700 

Hmmm.  That error message is more helpful -- Google returns results that make 
it look like OpenSSL does need all the certificates in the CA chain.  I found 
these two links that seem to be outlining solutions to your problem, although 
neither of them deal with spamdyke specifically:
        
http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
        
http://totalrecall.wordpress.com/2008/09/01/alpine-tls-unable-to-get-local-issuer-certificate/

You might try saving your CA certificate in PEM format and appending it to the 
end of your own certificate file -- that way OpenSSL would have everything it 
needs in one file.

-- Sam Clippinger

On Aug 19, 2011, at 1:35 PM, Alex S. wrote:

> The filename is correct and I even tried to give the same permissions as on 
> /var/qmail/control/servercert.pem.
>  
> Yes, the PEM file contains both the certificate and unprotected private key. 
> As I mentioned no problems with Courierssl.
>  
> If I verify the PEM file with openssl I get this:
>  
> # openssl verify /etc/ssl/private/www_mydomain_de.pem
> /etc/ssl/private/www_ mydomain _de.pem: /OU=Domain Control 
> Validated/OU=PositiveSSL/CN=www. mydomain.de
> error 20 at 0 depth lookup:unable to get local issuer certificate
>  
> Any ideas what’s happening?
>  
> Can it be that Spamdyke looks for certificate with common name equal one 
> specified in /var/qmail/control/me (or other setting) and fails because it 
> doesn’t match?
>  
> Alex
>  
>  
> From: [email protected] 
> [mailto:[email protected]] On Behalf Of Sam Clippinger
> Sent: Freitag, 19. August 2011 18:11
> To: spamdyke users
> Subject: Re: [spamdyke-users] Unable to load SSL/TLS certificate
>  
> I don't think this is a problem with intermediate CAs, because spamdyke 
> doesn't have to "trust" your certificate as long as it can match the public 
> and private keys.  This is why self-signed certificates work fine with 
> spamdyke.
>  
> The errors you're seeing are originating with OpenSSL and being reported by 
> spamdyke.  I can think of a number of things that might trigger this kind of 
> error:
>             Your certificate file is not present or misnamed (double-check 
> for typos).
>             Your certificate file is not accessible (permission problem).
>             Your certificate file is corrupted or truncated.
>             Your certificate file is not in PEM format.
>             Your certificate file is only contains your public key; your 
> private key is stored in another file.
>             Your private key is password protected and spamdyke doesn't have 
> the password.
>  
> Can you use the "openssl" command line tool to inspect your certificate file? 
>  If "openssl" can read it, spamdyke should be able to.
>  
> -- Sam Clippinger
>  
> On Aug 15, 2011, at 2:39 PM, Alex S. wrote:
> 
> 
> Hello,
>  
> I‘m trying to setup a proper SSL certificate for TLS/SSL encryption with 
> Spamduke 4.2.0. So I set it up in /etc/spamdyke.conf:
>  
> tls-certificate-file=/etc/ssl/private/www_mydomain_de.pem
>  
> The pem file contains both private key and certificate and already 
> successfully used in CourierSSL.
>  
> Spamdyke complains in the qmail logfile:
>  
> 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to load SSL/TLS 
> certificate from file: /etc/ssl/private/www_mydomain_de.pem : The operation 
> failed due to an I/O error, Unexpected EOF found, 
> error:0200100D:lib(2):func(1):reason(13), 
> error:20074002:lib(32):func(116):reason(2), 
> error:140DC002:lib(20):func(220):reason(2)
> 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: incorrect SSL/TLS 
> private key password or SSL/TLS certificate/privatekey 
> mismatch/etc/ssl/private/www_ mydomain _de.pem : A protocol or library 
> failure occurred, error:140A80B1:lib(20):func(168):reason(177)
> 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to initialize 
> SSL/TLS library
>  
> What does it mean? Why can’t the certificate be used by Spamdyke. The server 
> is running Debian with openssl 0.9.8o-4squeeze1 installed.
>  
> The default qmail certificate /var/qmail/control/servercert.pem can be used 
> by Spamdyke without any errors.
>  
> I already gave my pem file the reading permissions for vpopmail user which is 
> running tcpserver that starts spamdyke.
>  
> Can the problem be caused by the fact that my SSL certificate needs 
> intermediate certificates to be assumed as trustful by clients. How can I 
> tell the Spamdyke to use an intermediary ca-bundle file? (In CourierSSL it is 
> done with TLS_TRUSTCERTS=/etc/ssl/private/www_mydomain_de.ca-bundle 
> directive).
>  
> Thanks Alex
>  
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>  
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users


_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to