[exim] tls_certificate weirdness

Góra strony
Delete this message
Reply to this message
Autor: Phillip Carroll
Data:  
Dla: exim-users
Temat: [exim] tls_certificate weirdness
I am running exim 4.84 on CENTOS 7, with several web domains on the same
server. I recently converted all domains on the server to use TLS for
all web traffic, regardless of content, using a common Letsencrypt
issued certificate. Everything is on a single server, with a single IP.

Because the MX domain matches one of the web domains, it seemed logical
to reconfigure exim to use the new cert for TLS. However, I cannot get
exim to use the new cert "in situ" because of a permissions issue.

For those unfamiliar with letsencrypt:

The Letsencrypt "certbot" script installs certificate files and key
files (in Centos at least) using the following symlinks:
/etc/letsencrypt/live/<domain>/cert.pem
/etc/letsencrypt/live/<domain>/chain.pem
/etc/letsencrypt/live/<domain>/fullchain.pem (cert+chain)
/etc/letsencrypt/live/<domain>/privkey.pem
(where <domain> is the principal domain of the certificate)

The actual files are stored at:
/etc/letsencrypt/archive/<domain>/cert<n>.pem
Where <n> is a serial that indicates the nth renewal.

All directories on both paths are root owned, with 777 permissions, as
are the symlinks. The cert and chain files are also root owned and world
readable with 644 permissions.

If I use:
tls_certificate = /etc/letsencrypt/live/<domain>/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/<domain>/privkey.pem

The result for a client host using STARTTLS is:
TLS error on connection ...
(SSL_CTX_use_certificate_chain_file file=<path>):
error:0200100D:system library:fopen:Permission denied

Given that the certificate and all paths are world-readable shouldn't
exim be able to read it? If I switch back to the self-signed files that
were generated by an exim startup script, all is well. The difference
appears to be that those files are owned by the user "exim".

Am I missing some configuration option to tell exim to follow symlinks,
or is it required that exim own the file specified in the
tls_certificate option? Or is this some other kind of error?

- Phil Carroll