The cert should be chmod 600 owned by root. I've had issues where the search
path was the cause so make sure /etc/pki/certs can be read by root also. You
have a lot going on. I would suggest tearing it down to the bare essentials and
add pieces one at a time so you are only debugging one issue at a time. It
could also be the cert is just made wrong. What were your steps to make it?
On Jul 30, 2018 12:11 PM, ѽ҉ᶬḳ℠ <v...@gmx.net> wrote:
>
>
> >> Getting this error and not sure what to make of that error code 0B084002:
> >>
> >> warn: unable to load CA file /etc/pki/certs/ca-chain.cert.pem:
> >> Permission denied
> >> debug: lka: X509 verify: error:0B084002:x509 certificate
> >> routines:X509_load_cert_crl_file:system lib
> >> smtp-out: Server certificate verification failed on session
> >> 21fb77fa13301003
> >>
> >> The file has the same permission as the PKI certificates (and PEM
> >> format) but for which no such error is exhibited.
> >>
> >> # file: etc/pki/certs/ca-chain.cert.pem
> >> # owner: root
> >> # group: root
> >> user::r--
> >> group::---
> >> other::r--
> >>
> >>
> >> This is on Archlinux kernel 4.17.9 and its repo package opensmtpd 6.0.3p1-2
> >>
> > The config you posted previously didn't show any of the tls information
> > needed to assist you.
>
> That is config:
>
> ca mail certificate '/etc/pki/certs/ca-chain.cert.pem'
> pki mail key '/etc/pki/private/RSA_smtp_lan_server_vtol.km.key.pem'
> pki mail certificate '/etc/pki/certs/RSA_smtp_lan_server_vtol.km.cert.pem'
> ca server.foo.bar certificate '/etc/pki/certs/ca-chain.cert.pem'
> pki server.foo.bar key
> '/etc/pki/private/RSA_smtp_wan_server_vtol.km.key.pem'
> pki server.foo.bar certificate
> '/etc/pki/certs/RSA_smtp_wan_server_vtol.km.cert.pem'
>
> listen on lo inet4 port 25 tls hostname mail mask-source tag lo
> listen on lo inet4 port 587 smtps hostname mail mask-source tag lo
> listen on eth0 inet4 port 25 tls-require hostname mail mask-source tag lan
> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan
> listen on lo port 10028 mask-source tag DKIM
> # listen on eth0 inet4 port 40025 tls-require hostname server.foo.bar
> tag wan
> # listen on eth0 inet4 port 40587 smtps hostname server.foo.bar tag wan
>
> accept for local alias <aliases> deliver to lmtp "/var/run/dovecot/lmtp"
> accept from local for local deliver to lmtp "/var/run/dovecot/lmtp"
> accept tagged DKIM for any relay
> accept for any relay via smtp://127.0.0.1:10027
> accept for any relay hostname server.foo.bar tls verify
> accept from local for any relay
> accept from source 172.25.120.2 for any relay
> accept from any for domain "foo.bar" alias <aliases> deliver to maildir
> "~/Maildir"
>
> limit mta inet4
> max-message-size 5M
> expire 10m
> bounce-warn 1m, 10m, 1h, 2h
> queue encryption key [ obfuscted ]
> queue compression
> ciphers
> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
>
>
>
>
>
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
