Hi >2019-01-06 16:21 skrev John Cox: >> Hi >> >> I'm using OpenSMTPD 6.4.0 >> >> I'm (at least) a little confused as to which sort of certs I should >> put in the pki cert and ca conf file entries (I can cope with the key >> entry!) >> >> I have an apparently functional ACME setup using the default >> acme-client supplied with openbsd. This gives me 3 sorts of cert: >> >> 1) Bare cert >> 2) Chain cert >> 3) Full chain cert >> >> I have pki cert set to the bare cert, and ca set to the chain cert - >> is that correct? or should I use the full chain cert for the pki cert? >> >> I ask because whilst the setup mostly morks I do get odd logging like >> this: >> >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting >> address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls >> ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 >> Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate >> verification succeeded on session 92975635cb3d86a4 >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery >> evpid=00fe7e3a0bda75cf from=<[email protected]> >> to=<[email protected]> rcpt=<[email protected]> >> source="46.235.226.138" relay="212.54.58.11 >> (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 >> MXIN650 mail accepted for delivery >> ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" >> Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session >> 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain >> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting >> address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net >> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected >> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta >> disconnected reason=quit messages=1 >> >> Where I seems to succeed with tls and then it says that it has failed. >> What is going on?
I know I put 2 questions in one message but does anyone have any idea why I seem to both get a TLS success & a TLS failure here? >> >> Thanks >> >> John Cox > >You should use the full chain, so that any connecting computers can >verify the full certificate chain. :) > >This is a snippet from my configuration: > >pki mx.helloworld.online cert >"/etc/ssl/acme/mx.helloworld.online.fullchain.pem" >pki mx.helloworld.online key >"/etc/ssl/acme/private/mx.helloworld.online.key" > >Hope that helps in some way. Thanks - I think I understand what is needed for verification to take place, and as I am using a public CA to generate the certs. at least in theory, the chain part should be well known and therefore not needed or actually unwanted if the far end is going to verify the cert. (Unless, of course, the CA has generated intermediate certs between the well known root cert and my cert, in which case the chain is required to bridge the gap.) Fullchain shouldn't really be required unless you have a self-signed thing or want to persuade the far end to add your root cert to its cert stash. Nonetheless I equally understand that many implementations want a full chain so it must be available. The question is - how is the fullchain constructed - is it pki+ca or just pki, and if the latter then what is the ca statement meant to do for me? Many thanks John Cox -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
