Hi,
Adrian Zaugg via Exim-users <exim-users@???> (Fr 01 Jun 2018 02:05:04 CEST):
>
> I try to set tls_certificate and tls_privatekey in remote smtp transport
> in order to instruct exim to present a client certificate on a
> connection made to another server. I get an error saying:
>
> 2018-06-01 00:22:34 1fOVxp-0005XP-S0 TLS error on connection to
> ts6.checktls.com [104.131.23.181] (cert/key setup:
> cert=/etc/ssl/letsencrypt/ente.limmat.ch/fullchain.pem
> key=/etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem): Error while
> reading file.
…
> I tried as user Debian-exim to cat both files which worked. I tried to
Did you try to cat the full path with a working directory '/':
cd /
sudo -u Debian-exim cat /etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem
? I guess, you've restrictions on some directory down to the file
Exim needs to read. All dirs need to have at least x-Permissions for the
Exim runtime user (Debian-exim in your case).
> reference a copy in /etc/exim4 which made the error go away, but remote
> servers do not get to see my client cert – at least this is what
> checktls.com Test Sender TLS reports:
…
We are at 4.91, I'm not sure, if Devuan does backport the security
fixes. Please check.
>
> What am I missing?
The certificate/key you use as a server are configured in the
main options tls_certificate and tls_privatekey. These options _do not
apply_ to the transport, where Exim acts as a client.
To have Exim use a cert as a client, you need to set the transport
options (having the same name).
begin transpors
remote_smtp:
driver = smtp
tls_certificate = …
tls_privatekey = …
PS: I do not know if and how your ACME client supports "hooks", actions
that are executed after getting a fresh certificate. I use "dehydrated"
as ACME client and do the following:
[once at setup]
mkdir /var/lib/exim4
touch /var/lib/exim4/ssl.pem
chown Debian-exim: /var/lib/exim4/ssl.pem
[hook, executed after getting the cert]
cat privkey.pem fullchain.pem > /var/lib/exim4/ssl.pem
Yes, just into one file. Read the doc about tls_certificate and
tls_privatekey, the latter doesn't need to be set if the file referenced
by tls_certificate contains the key and the cert. (order does not
matter).
And, no need to restart/reload Exim, as the certs are accessed on
demand.
HTH.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
