[Exim] exim 4.32 (debian), tls temp unavail., certificates f…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Thomas Schorpp
Date:  
À: exim-users
Nouveaux-sujets: [Exim] [CONFIG][PATCH]tls temp unavail., Root CA signed certs need to be PEM bundle, pls update
Sujet: [Exim] exim 4.32 (debian), tls temp unavail., certificates files x509 format?
hi,
dont understand, why this wont run:

and yes i read all av. docs, faqs.

# Defines where your SSL-certificate and SSL-Private Key are located.
# This requires a full path. The files pointed to must be kept 'secret'
# and should be owned my root.Debian-exim mode 640 (-rw-r-----). Usually the
# exim-gencert script takes care of these prerequisites.
#
tls_certificate = /etc/ssl/certs/cacertorg-sddk.cer #crt?
tls_privatekey = /etc/ssl/private/cacertorg-sddk.key

# A file which contains the certificates of the trusted CAs (Certification
# Authorities) against which host certificates can be checked (through the
# `tls_verify_hosts' and `tls_try_verify_hosts' lists below).
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates( command.
#
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt

is this depreceated?
- - yes, file access rights are ok ;)

exim430 source code requires pem...
/* Set the certificate and private keys */

if (cert_expanded != NULL)
{
DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
cert_expanded, key_expanded);
rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
CS key_expanded, GNUTLS_X509_FMT_PEM); <---- ONLY ONE PEM file? XXXX
if (rc < 0) return tls_error(US"cert/key setup", host, rc); <--- error i got
}

bundle(?) pem, got keypair

.cer:

- -----BEGIN CERTIFICATE-----
xxxx
- -----END CERTIFICATE-----

.key: (done with $openssl rsa -in x -out y) gave passwd,

- -----BEGIN RSA PRIVATE KEY-----
xxxx
- -----END RSA PRIVATE KEY-----

.pem:

- -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,xxxxxxxxxxxx
xxxxx
- -----END RSA PRIVATE KEY-----
no bundle, only private key in pem

ca is cacert.org avail. inca-certificates.crt , any ideas?

thx