I'm sorry - this unexpected behavior is caused by a wrong configuration
order in the WEB-GUI.
currently this is:
SSL Certificate File (PEM format) (SSLCertFile)
SSL Key File (PEM format) (SSLKeyFile)
SSL Private Key Password (SSLPKPassword)
SSL Certificate Authority File (SSLCaFile)
If all these parameters are changed to a new set in one step - you'see the
the same behavior like in your case.
All changes in the GUI are processed sequentel (each after the other).
SSLCertFile - fails , because the old key file is still in use
SSLKeyFile - fails possibly, because the old password is still in use
So simply ignore the errors in the log and restart assp and everything is
fine.
I'll change the processing order to:
SSL Private Key Password (SSLPKPassword)
SSL Key File (PEM format) (SSLKeyFile)
SSL Certificate Authority File (SSLCaFile)
SSL Certificate File (PEM format) (SSLCertFile)
to prevent this bad behavior in future. In case all parameters are changed
in one step, the same error will be seen in the log after SSLPKPassword
(old key not readable), SSLKeyFile(cert is invalid) - but after
SSLCertFile is changed, everything is fine.
Thomas
Von: "Mark D Montgomery II" <techi...@techiem2.net>
An: "For Users of ASSP" <assp-user@lists.sourceforge.net>
Datum: 27.12.2017 01:55
Betreff: Re: [Assp-user] Problems getting TLS working
I'm also using the same cert set for postfix itself, and it seems just
fine with it.
----- Message from Mark D Montgomery II <techi...@techiem2.net> ---------
Date: Wed, 27 Dec 2017 00:26:33 +0000
From: Mark D Montgomery II <techi...@techiem2.net>
Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
Subject: Re: [Assp-user] Problems getting TLS working
To: For Users of ASSP <assp-user@lists.sourceforge.net>
> Ok, so it SHOULD work.
>
> In SSL Proxy and TLS Settings:
> DoTLS: do TLS
>
> SSLCertFile: /etc/ssl/froxlor-custom/mydomain_chain.pem
> SSLKeyFile: /etc/ssl/froxlor-custom/mydomain.key
> SSLCAFile: /etc/ssl/froxlor-custom/mydomain_CA.pem
>
> banFailedSSLIP is disabled, everything else is blank or default.
>
> I turned up SSL Debug logging to 3 and restarted:
>
> Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
> Failed to load key from file (no PEM or DER)
> SSL error: 24545: 1 - error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
> SSL error: 24545: 2 - error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag
> SSL error: 24545: 3 - error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> SSL error: 24545: 4 - error:04093004:rsa
routines:OLD_RSA_PRIV_DECODE:RSA lib
> SSL error: 24545: 5 - error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag
> SSL error: 24545: 6 - error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> SSL error: 24545: 7 - error:140B000D:SSL
> routines:SSL_CTX_use_PrivateKey_file:ASN1 lib
> Dec-26-17 19:21:34 [init] SSL-DEBUG: .../IO/Socket/SSL.pm:2580:
> global error: Failed to load key from file (no PEM or DER)
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> Dec-26-17 19:21:34 [init] Error: unable to create IPv4 socket to
> 0.0.0.0:1465 - Failed to load key from file (no PEM or DER)
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> Dec-26-17 19:21:34 [init] Error: couldn't create server SSL-socket
> on port '1465' -- maybe another service uses this listener or I'm
> not root (uid=0)? -- or a wrong IP address is defined? --
> Inappropriate ioctl for device
>
>
>
>
> ----- Message from Doug Lytle <supp...@drdos.info> ---------
> Date: Tue, 26 Dec 2017 18:12:47 -0500
> From: Doug Lytle <supp...@drdos.info>
> Reply-To: For Users of ASSP <assp-user@lists.sourceforge.net>
> Subject: Re: [Assp-user] Problems getting TLS working
> To: assp-user@lists.sourceforge.net
>
>
>> On 12/26/2017 05:29 PM, Mark D Montgomery II wrote:
>>> I've added the paths to the chain, ca, and key files, but ASSP
>>> won't accept the key file.
>>
>> Mark,
>>
>> I've got my ASSP setup with LetsEncrypt as well and it's working fine.
>>
>> My chain is the fullchain. Along with my cert and key.
>>
>>
>>
>> Doug
>>
>>
------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-user mailing list
>> Assp-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
> ----- End message from Doug Lytle <supp...@drdos.info> -----
>
>
>
> --
> Mark D Montgomery II
> techi...@techiem2.net
> https://www.techiem2.net
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user
----- End message from Mark D Montgomery II <techi...@techiem2.net> -----
--
Mark D Montgomery II
techi...@techiem2.net
https://www.techiem2.net
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
