Author: Phil Pennock Date: To: Graham Christensen CC: exim-users Subject: Re: [exim] Exim Retaining Non-Existant SSL Certificates
On 2008-03-27 at 17:58 -0400, Graham Christensen wrote: > I installed Exim4 right about a year ago on Etch. About a month or two
> after that I setup SSL on outgoing mail, and accidentally set it up with
> an incorrect certificate with the wrong Common Name in the certificate.
> I've replaced the certificate with a correct one, but Exim still seems
> to "remember" that old certificate.
>
> When I run `exim -bP tls_certificate` it outputs the correct
> certificate, and when I run ` openssl x509 -in
> /path/to/the/certificate.crt -noout -text` it works just fine.
>
> The problem comes when I actually try to send an email - it gets the old
> certificate with the old, incorrect CN.
Which bit of communication is this with? Do you mean Exim sending
server-to-server using a client certificate? If so, that's the
tls_certificate option on the smtp transport, not the global
tls_certificate option. Use:
exim -bP transport remote_smtp | grep '^tls_certificate'
If you mean, when you try to submit the mail to the Exim server, then
you're looking at the possibility that the client has cached the server
certificate, rather than the server returning the old certificate. I've
seen various clients cache excessively, to the point of returning
incorrect old data, when you have two certificates with the same issuer
and the same serial number -- replacing a cert whilst keeping the same
(issuer,serial) pair is a mistake; if getting a new cert isn't an
option, then on every client you'll need to delete the cert, shut down
the client completely, then start the client and try to load in the new
cert.