[exim] Example on how to make working self signed cert with …

Inizio della pagina
Delete this message
Reply to this message
Autore: Marc MERLIN
Data:  
To: exim-users
Oggetto: [exim] Example on how to make working self signed cert with GnuTLS and exim 4.80?
I was doing fine with openssl, but since I've switched to GnuTLS with
exim4, I just never got it to work for server certs.

In my previously working exim4.conf (for TLS with openssl), I have:
CERTNAME=/etc/exim4/exim.crt
KEYNAME=/etc/exim4/exim.key

I get offered TLS, but it's rejected with:
13:32:57 27723 SMTP<< STARTTLS
13:32:57 27723 using ACL "check_tls"
13:32:57 27723 processing "accept"
13:32:57 27723 accept: condition test succeeded in ACL "check_tls"
13:32:57 27723 initialising GnuTLS as a server
13:32:57 27723 GnuTLS global init required.
13:32:57 27723 initialising GnuTLS server session
13:32:57 27723 Expanding various TLS configuration options for session credentials.
13:32:57 27723 LOG: MAIN
13:32:57 27723 TLS error on connection from bgl93-4-82-235-219-215.fbx.proxad.net (gandalfthegreat.merlins.org) [82.235.219.215]:39034
I=[209.81.13.136]:587 (no TLS server certificate is specified)
13:32:57 27723 SMTP>> 454 TLS currently unavailable


The error message doesn't seem correct since the cert files are specified and present.

I'm going to assume GnuTLS doesn't like them and won't tell me why.

I've tried multiple howtos for making new self signed TLS certs, but none have
generated a working file for exim.

The last one I tried was this:
magic:/etc/exim4# certtool --generate-privkey --outfile exim.key
Generating a 2432 bit RSA private key...
magic:/etc/exim4# certtool --generate-request --load-privkey exim.key --outfile exim.csr
Generating a PKCS #10 certificate request...
Common name: merlins.org
Organizational unit name:
Organization name: Linux Geeks Inc
Locality name: Silicon Valley
State or province name: CA
Country name (2 chars): US
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate: marc_cert@???
Enter a challenge password:
Does the certificate belong to an authority? (y/N): N
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): N
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Is this a TLS web client certificate? (y/N): Y
Is this a TLS web server certificate? (y/N): Y
magic:/etc/exim4# openssl x509 -req -in exim.csr -signkey exim.key -out exim.crt

I've tried earlier recipees to make the key with openssl instead of
certtool, but those didn't seem to work either.

Can someone point me to a currently working way to make a self signed cert with exim4?

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                         | PGP 1024R/763BE901