[exim] Error while reading cert or key file

Top Page
Delete this message
Reply to this message
Author: Adrian
Date:  
To: exim-users
Subject: [exim] Error while reading cert or key file
I'm setting up exim4 on a new server, to be as similar as possible to
an existing server where exim4 works well. Both are running Debian
buster with split config files.

I'm getting the following error in the mainlog
TLS error on connection from email-test.had.dnsops.gov [129.6.100.206]
(cert/key setup:
cert=/etc/letsencrypt/live/example.com/fullchain.pem
key=/etc/exim4/privkey.pem): Error while reading file.

The cert file path is a symlink to the actual file
in /etc/letsencrypt which is world-readable.

The key file is /etc/exim4/privkey.pem which is a COPY of the live
one in /etc/letsencrypt. When the key is renewed by certbot a script
recreates the copy in /etc/exim4 and runs the following script

chgrp Debian-exim /etc/exim4/privkey.pem
setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
# setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir
systemctl restart dovecot

This is the output of getfacl and ls -l and is the same for the existing
and the new server.

getfacl privkey.pem
# file: privkey.pem
# owner: root
# group: Debian-exim
user::rw-
group::r--
group:Debian-exim:r--
mask::r--
other::---

ls -l privkey.pem
-rw-r-----+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem

The existing server works, the new server can't do TLS and reports
'Error while reading file'.

Exim4 is running as user Debian-Exim. I've tried setting initgroups =
true.

Is there a way to increase debug verbosity? E.g. so that exim4
confirms which file it can't read, the cert or the key file.

..or anything else, even brief relaxation of permissions, that might
help identify where the problem lies.

I have to confess now that I don't generally understand the answers
here. Please would you explain in terms that tell me the commands
to issue, and what to add or change in which files. Thanks!