Ping a Specific Port

Question

abr_stackoverflow

Asked: 2016-08-20 02:39:06 +0800 CST2016-08-20 02:39:06 +0800 CST 2016-08-20 02:39:06 +0800 CST

Why exim reads certificate and key from the same file?

772

I configured SSL by adding these strings to 01_exim4-config_listmacrosdefs. I use split configuration

MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTKEY = /etc/exim4/example.com.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/example.com.key

So after restarting, connecting to port 465, typing EHLO and STARTTLS I got this: 454 TLS currently unavailable

In the log I have this:

13:29:36 10872 SMTP<< STARTTLS
13:29:36 10872 initialising GnuTLS as a server
13:29:36 10872 GnuTLS global init required.
13:29:36 10872 initialising GnuTLS server session
13:29:36 10872 Expanding various TLS configuration options for session credentials.
13:29:36 10872 certificate file = /etc/exim4/example.com.crt
13:29:36 10872 key file = /etc/exim4/example.com.crt
13:29:36 10872 LOG: MAIN
13:29:36 10872   TLS error on connection from (192.168.1.111) [91.210.44.50] (cert/key setup: cert=/etc/exim4/example.com.crt key=/etc/exim4/example.com.crt): Error in parsing.

Why does exim use the same file both for certificate and key? How to fix?

2 Answers

Voted

abr_stackoverflow · Answer 1 · 2016-08-20T02:50:18+08:00

Best Answer

abr_stackoverflow

2016-08-20T02:50:18+08:002016-08-20T02:50:18+08:00

I should have used MAIN_TLS_CERTIFICATE instead of MAIN_TLS_CERTKEY.

4

Capricorn1 · Answer 2 · 2019-01-20T14:32:57+08:00

@chicks I'd upvote if serverfault would let me.

Still snagging people (i.e., me over two years later).

Technically, the comments in conf.d/main/03_exim4-config_tlsoptions say that if you have the certificate and key in the same file, then use MAIN_TLS_CERTKEY. That's bad practice but allowed.

#   MAIN_TLS_CERTIFICATE - path to certificate file,
#                          CONFDIR/exim.crt if unset
#   MAIN_TLS_PRIVATEKEY  - path to private key file
#                          CONFDIR/exim.key if unset
# You can also configure exim to look for certificate and key in the
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
# precedence over all other settings regarding certificate and key file.

I glossed over that and went straight to the ifdef statements. The first of those is:

.ifdef MAIN_TLS_CERTKEY

and I completely missed the .else part:

.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE

TL;DR: Yes, set MAIN_TLS_CERTIFICATE rather than MAIN_TLS_CERTKEY.

Why exim reads certificate and key from the same file?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?