On Sun, Jan 06, 2019 at 12:39:49PM -0500, Bryan Harris wrote: > I just use the regular cert, not the fullchain one. I followed the > directions from the relayd and httpd book (Let's Encrypt & acme-client). > > > pki $pki_host key?? "/etc/ssl/private/sally.org.il.key" > pki $pki_host cert? "/etc/ssl/sally.org.il.crt"
I did too originally. However, I was seeing weird tls errors in the log after switching to 6.4 so i switched the cert to the fullchain.pem and they went away. mail$ doas egrep "TLS failed" /var/log/maillog mail$ Edgar > > > Bryan > > > On 1/6/2019 10:21 AM, John Cox wrote: > > Hi > > > > I'm using OpenSMTPD 6.4.0 > > > > I'm (at least) a little confused as to which sort of certs I should > > put in the pki cert and ca conf file entries (I can cope with the key > > entry!) > > > > I have an apparently functional ACME setup using the default > > acme-client supplied with openbsd. This gives me 3 sorts of cert: > > > > 1) Bare cert > > 2) Chain cert > > 3) Full chain cert > > > > I have pki cert set to the bare cert, and ca set to the chain cert - > > is that correct? or should I use the full chain cert for the pki cert? > > > > I ask because whilst the setup mostly morks I do get odd logging like > > this: > > > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting > > address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls > > ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 > > Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate > > verification succeeded on session 92975635cb3d86a4 > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery > > evpid=00fe7e3a0bda75cf from=<forward...@uphall.net> > > to=<yyy....@ntlworld.com> rcpt=<z...@uphall.net> > > source="46.235.226.138" relay="212.54.58.11 > > (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 > > MXIN650 mail accepted for delivery > > ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" > > Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session > > 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain > > Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting > > address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net > > Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected > > Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta > > disconnected reason=quit messages=1 > > > > Where I seems to succeed with tls and then it says that it has failed. > > What is going on? > > > > Thanks > > > > John Cox > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org