[Exim] Exim - Problem with certyficate

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: SWS
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: [Exim] Exim - Problem with certyficate
Hi !

This is my second big problem with exim. I'am including support TLS/SSL
in my Makefile before compilation.

I generated CA certificate (openssl):

#> cd /usr/local/ssl
#> echo 01 > serial
#> touch index.txt
#> openssl req -new -x509 -keyout private/cakey.pem -out \
certs/cacert.pem -config openssl.cnf

and converted it for IE:

#> openssl x509 -in certs/cacert.pem -outform der -out \
certs/cacert.der

#> chown root:root certs/* private/*
#> chmod 400 private/cakey.pem

Then I generated exim certificate:

#> openssl req -new -nodes -keyout newkey.pem -out newreq.pem \
-days 365 -config openssl.cnf

#> cat newreq.pem newkey.pem > new.pem

#> openssl ca -policy policy_anything -out newcert.pem -config \
openssl.cnf -infiles new.pem

#> cat newcert.pem certs/cacert.pem > exim-cert.pem
#> chown root:root exim-cert.pem
#> mv exim-cert.pem /usr/local/etc/exim
#> chown root:root newkey.pem
#> chmod 400 newkey.pem
#> mv newkey.pem /usr/local/etc/exim/exim-key.pem

I wrote CN as host.damain.pl (full name of my server) in CA and
exim certiticate.

In exim.conf I included the following setings:

# TLS/SSL connetions

tls_host_accept_relay = *
auth_over_tls_hosts = *
tls_hosts = *
tls_certificate = /usr/local/etc/exim/exim-cert.pem
tls_privatekey = /usr/local/etc/exim/exim-key.pem

I loaded CA certificate in netscape on workstation from my
server (perl scripts - loadCAcert.pl). Operation finished
succesfuly. I started exim daemon with debug level 10.
When I want to send message from workstation via my server
I got info in netscape:

"The certificate is not approved for the attempted
aplication."

and from console:

SMTP<< STARTTLS
using tls_certificate /usr/local/etc/exim/exim-cert.pem
using tls_privatekey /usr/local/etc/exim/exim-key.pem
Initialised TLS (OpenSSL/0.9.6beta)
host in tls_verify_hosts? no (option unset)
SMTP>> 220 OpenSSL/0.9.6beta go ahead

Calling SSL_accept
SSL info: before/accept initialization
SSL info: before/accept initialization
SSL info: SSLv3 read client hello A
SSL info: SSLv3 write server hello A
SSL info: SSLv3 write certificate A
SSL info: SSLv3 write server done A
SSL info: SSLv3 flush data
SSL info: SSLv3 read client certificate A
SSL info: SSLv3 read client certificate A
LOG: 0 MAIN
TLS error on connection from xxx.domain.pl (host.domain.pl)
[212.14.5.140] (SSL_accept): error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
TLS failed to start

I have a short, simple question. How can I create good CA and
exim certificate ?

Thank you for help.

Mary Christmas for all :)

Slawek