Re: [exim] Error while reading cert or key file

Sun, 04 Jul 2021 16:15:01 -0700 

Adrian via Exim-users <exim-users@exim.org> wrote:

> I'm setting up exim4 on a new server, to be as similar as possible to
> an existing server where exim4 works well.  Both are running Debian
> buster with split config files.
> 
> I'm getting the following error in the mainlog
> TLS error on connection from email-test.had.dnsops.gov [129.6.100.206]
> (cert/key setup:
> cert=/etc/letsencrypt/live/example.com/fullchain.pem
> key=/etc/exim4/privkey.pem): Error while reading file.
> 
> The cert file path is a symlink to the actual file
> in /etc/letsencrypt which is world-readable.
> 
> The key file is /etc/exim4/privkey.pem which is a COPY of the live
> one in /etc/letsencrypt.  When the key is renewed by certbot a script
> recreates the copy in /etc/exim4 and runs the following script
> 
> chgrp Debian-exim /etc/exim4/privkey.pem
> setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
> # setfacl -m g:Debian-exim:x /etc/exim4  seems not needed for this dir
> systemctl restart dovecot
> 
> This is the output of getfacl and ls -l and is the same for the existing
> and the new server.
> 
> getfacl privkey.pem 
> # file: privkey.pem
> # owner: root
> # group: Debian-exim
> user::rw-
> group::r--
> group:Debian-exim:r--
> mask::r--
> other::---
> 
> ls -l privkey.pem 
> -rw-r-----+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem
> 
> The existing server works, the new server can't do TLS and reports
> 'Error while reading file'.
> 
> Exim4 is running as user Debian-Exim.  I've tried setting initgroups =
> true.
> 
> Is there a way to increase debug verbosity?  E.g. so that exim4
> confirms which file it can't read, the cert or the key file.
> 
> ..or anything else, even brief relaxation of permissions, that might
> help identify where the problem lies.
> 
> I have to confess now that I don't generally understand the answers
> here. Please would you explain in terms that tell me the commands
> to issue, and what to add or change in which files.  Thanks!
> 

       lsattr  -  list  file attributes on a Linux second 
                  extended file system

I doubt this is the problem, but I have nothing better to offer.

--
u34

> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to