On Sat, 13 Jul 2024, Wolfgang via Exim-users wrote:
Hello Viktor, Hello Jeremy, and all others helping me, to find the problem with my exim not able to deliver to the https://blog.lindenberg.one/EmailSecurityTest . I tried now a lot of things, and learned a lot about debugging this kind of error. As the biggest problem lies into the test-mechanism, which introduces all kinds of simulated errors, no offering of STARTTLS etc., it was hard, teting against that. So finally I have created a testenvironment, which had all the destinations with and without DANE, letsencrypt etc. I created identical looking self signed certs, removed the usual BasicConstraints CA=FALSE, which all my self-signed certs have, so my cert looked just the same. But I could deliver to any of my systems destinations, after my DANE-DNSSEC problem was fixed. So I went another way, diving into the command line tools of GnuTLS, instead of OpenSSL, which was as long my tools for all those tests. But as the error only occured in GnuTLS, those tools could help me: Testing the test-systems self-signed cert, I needed to start some tries, till I got finally STARTTLS offered, and there was a single line more, as in the exim debug output: gnutls-cli -d 9999 -V -p 25 85.215.77.84 --starttls-proto=smtp ASSERT: ../../lib/tls-sig.c[_gnutls_check_key_usage_for_sig]:58 Peer's certificate does not allow digital signatures. Key usage violation detected. *** Fatal error: Key usage violation in certificate has been detected Doing the same to my test-destination for the self-signed cert: gnutls-cli -d 9999 -V -p 25 78.46.150.68 --starttls-proto=smtp Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** Fatal error: Error in the certificate reads totally different, as my current test exim would even accept a non matching name. No other error popped out. Ok, I compared the the certs again and they just looked identical: X.509 Certificate Information: X.509 Certificate Information: Version: 3 Version: 3 Serial Number (hex): 1780f0f593e5c453adbb0ace8a352a65f85d9da7 Serial Number (hex): 31553a407b3f80ae791c3b01fc6a5c9e68f0c371 Issuer: OU=GnuTLS test,O=xxxxxxxxxxxxxxx,L=Karlsruhe,ST=BW,C=DE Issuer: CN=et.lindenberg.one,OU=Tests,O=Lindenberg,L=Karlsruhe,ST=BW,C=DE
Hmm. One Issuer has a CN field, the other does not ?
Validity: Validity: Not Before: Sat Jul 13 18:08:35 UTC 2024 Not Before: Sat Jan 22 16:08:03 UTC 2022 Not After: Tue Jul 11 18:08:35 UTC 2034 Not After: Fri Jan 17 16:08:03 UTC 2042 Subject: CN=xxxxxxx.sxxxxxxxxxxxxxx.de,OU=GnuTLS test,O=xxxxxxxxxxxxxx,L=Karlsruhe,ST=BW,C=DE Subject: CN=et.lindenberg.one,OU=Tests,O=Lindenberg,L=Karlsruhe,ST=BW,C=DE Subject Public Key Algorithm: RSA Subject Public Key Algorithm: RSA
This is nearly unreadable. Could you send a `diff -u` of the two certs/files/outouts ? Thanks, -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/