Re: [exim] Can't read SSL key/cert, how to debug?

Top Page
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: Re: [exim] Can't read SSL key/cert, how to debug?
On Sat, Dec 20, 2014 at 09:05:02PM +0100, Yves Goergen wrote:
> Am 20.12.2014 um 20:20 schrieb Evgeniy Berdnikov:
> > Did you play with ssl/tls options? Did you restrict list of ciphers?
>
> Not that I'm aware of. This is what I have about TLS in my config:
>
> >MAIN_HOST    = example.com
> >tls_advertise_hosts = *
> >tls_certificate = /etc/ssl/private/MAIN_HOST
> >tls_privatekey = /etc/ssl/private/MAIN_HOST
> >tls_on_connect_ports = 465

>
> The file /etc/ssl/private/example.com contains the private key, then the
> host certificate and then all chained certificates. This works for all other
> services using that file (apache, dovecot, proftpd, prosody).


The first step in debugging should be cleaning up the configuration.
If you have doubts, separate your private key and certificates,
placing them into different files.

Then, check permissions. In my nearest host with Ubuntu-12.04.5
the /etc/ssl/private directory can be read by root only.
Are use sure the MAIN_HOST file is readable for Exim?

> Am 20.12.2014 um 20:20 schrieb Evgeniy Berdnikov:
> > Try to run exim with debugging options, -d-all+tls first.
>
> It prints some text and then ends. No port is opened afterwards, so I guess
> it didn't continue in the background or somehwere. Is this expected?


Debug options should be *added* to others, for example, run exim as daemon:

/usr/sbin/exim4 -bd -q1m -d-all+tls

Then try to connect and look into the log.
--
Eugene Berdnikov