Re: [Exim] TLS error message

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MKirill Miazine at <-
MPhilip Hazel at ->
Delete this message
Reply to this message
Author: Andy Mell
Date:  
To: exim-users
Subject: Re: [Exim] TLS error message
Kirill Miazine <km@???> wrote:

>> configure says:
>>
>> tls_certificate = smtp.crt
>> tls_privatekey = smtp.key
>> tls_advertise_hosts = *
>>
>> smtp.crt and smtp.key are located in /usr/local/ssl/certs?
>
> Use full path in tls_certificate and tls_privatekey.

Might seem obvious to you, but the documentation I was reading implied
that certificates were picked up from /usr/local/ssl/certs by default and
the full path was not required.

This TLS/SSL really isnt documented very well is it. Security by
obscurity indeed...

The next problem I had was when STARTTLS was sent, the server asked for
the PEM Passphrase, which broke the SMTP dialogue somewhat. Nowhere does
it say in any docs that the private key has to be unencrypted... Most
recommend that it is encrypted. Once that was fixed it worked.

The next problem I had was certificate chains to establish trust to the
root CA did not work. I established that each certificate must have one
line in between each begin and end statement, and they need to be in the
right order, server certificate first, root CA last. The line between
each certificate in the chain wasnt documented anywhere.

Hope those gotchas are useful to someone else.

All going ok now....

Regards

Andy



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] local users and virtual domains setup suggestions pleaseRe: [Exim] TLS error message->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)