Re: [exim] Can't read SSL key/cert, how to debug?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Yves Goergen
Date:  
À: Evgeniy Berdnikov, exim-users
Sujet: Re: [exim] Can't read SSL key/cert, how to debug?
Am 21.12.2014 um 20:03 schrieb Evgeniy Berdnikov:
> The first step in debugging should be cleaning up the configuration.
> If you have doubts, separate your private key and certificates,
> placing them into different files.


Done that. Certificate with chain and key are now in two separate files.
Same log output.

> Then, check permissions. In my nearest host with Ubuntu-12.04.5
> the /etc/ssl/private directory can be read by root only.
> Are use sure the MAIN_HOST file is readable for Exim?


Yes, I am sure.

> Debug options should be *added* to others, for example, run exim as daemon:
>
> /usr/sbin/exim4 -bd -q1m -d-all+tls
>
> Then try to connect and look into the log.


Here's what I got:

> 3654 Connection request from 2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb port 51260
> 3654 1 SMTP accept process running
> 3654 Listening...
> 3658 Process 3658 is handling incoming connection from [2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb]
> 3658 LOG: host_lookup_failed MAIN
> 3658 no host name found for IP address 2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb
> 3658 Process 3658 is ready for new message
> 3658 initialising GnuTLS as a server
> 3658 GnuTLS global init required.
> 3658 initialising GnuTLS server session
> 3658 Expanding various TLS configuration options for session credentials.
> 3658 certificate file = /etc/ssl/private/xxxx.de
> 3658 key file = /etc/ssl/private/xxxx.de
> 3658 TLS: cert/key registered
> 3658 TLS: tls_verify_certificates not set or empty, ignoring
> 3658 Initialising GnuTLS server params.
> 3658 Loading default hard-coded DH params
> 3658 Loaded fixed standard D-H parameters
> 3658 GnuTLS using default session cipher/priority "NORMAL"
> 3658 TLS: a client certificate will not be requested.
> 3658 Received TLS SNI "xxxx.de" (unused for certificate selection)
> 3658 LOG: MAIN
> 3658 TLS error on connection from ([IPv6:2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb]) [2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb] (gnutls_handshake): Could not negotiate a supported cipher suite.
> 3658 TLS failed to start
> 3658 LOG: smtp_connection MAIN
> 3658 SMTP connection from ([IPv6:2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb]) [2001:a60:1027:xxxx:745c:6dcf:3ae9:71cb] closed by EOF
> 3654 child 3658 ended: status=0x0
> 3654 normal exit, 0
> 3654 0 SMTP accept processes now running
> 3654 Listening...


I understand it like the cert file could be read but anything else went
wrong, but no details are shown about it.

--
Yves Goergen
http://unclassified.de
http://dev.unclassified.de