I Thought for a mom,ent that you had put your finger on it, the oldest Unix gotcha of all, bad permissions.
But no - I shifted the certificate and key into /usr/pkg/etc/openssl/certs and private, and now the error message takes this form: Oct 23 17:34:30 body postfix/smtpd[20176]: warning: cannot get private key from file /usr/pkg/etc/openssl/certs/myserver.pem Oct 23 17:34:30 body postfix/smtpd[20176]: warning: TLS library problem: 20176:e rror:0906D06C:PEM routines:PEM_read_bio:no start line:/home/builds/ab/netbsd-4-0-1-RELEASE/src/crypto/dist/openssl/crypto/pem/pem_lib.c:647:Expecting: ANY PRIVATE KEY: Oct 23 17:34:30 body postfix/smtpd[20176]: warning: TLS library problem: 20176:e rror:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEMlib:/home/builds/ab/n etbsd-4-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_rsa.c:669: Oct 23 17:34:30 body postfix/smtpd[20176]: cannot load RSA certificate and key d ata The bit I don't get is that the private key is specified to be in the private subdirector, not the certs subdirectory, and it is specified as having the extension .key, not .pem. I used openssl asn1parse as you suggested, and the key and certificate both make plausible reading. Permissions on the subdirectories are 0755. Have I got faulty libraries, faulty data, or both? -- Steve Blinkhorn <st...@prd.co.uk> You wrote: > > --=-=-= > Content-Type: text/plain > > > st...@prd.co.uk (Steve Blinkhorn) writes: > > > This is still a live issue - apologies, I missed your post last week. > > > > Here are the file specs from my /etc/postfix/main.cf: > > > > smtpd_tls_cert_file = /etc/ssl/certs/myname.pem > > smtpd_tls_key=/etc/ssl/private/myname.key > > > > > > It's clear from the runtime error message that the certificate is not, > > in effect, being read. But the current file names and contents > > produce the fewest errors. Could it be the .pem file extension, or > > is there a hard-coded location for the certificate and ley that I need > > to conform too? > > > > Or could it be that the content of the files is wrong? I found > > myself going round in circles and making no progres. > > > > This is NetBSD 4.01, with the SSL libraries updated to the latest > > version for that release. > > I put them in /usr/pkg/etc/postfix. Of course the snmp daemon needs to > be able to read the files - /etc/openssl/private on my systems are > root-owned 700. > > My key file is key.pem and starts like: > > -----BEGIN RSA PRIVATE KEY----- > > The certificate file is post.pem and starts > > -----BEGIN CERTIFICATE----- > > and both can be read with 'openssl ans1parse'. > > --=-=-= > Content-Type: application/pgp-signature > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (NetBSD) > > iEYEARECAAYFAlJn8yAACgkQ+vesoDJhHiVi0gCfXu2AGdui5Sg+nd+5mnutBhkV > aN4An3TgjNoqysvs7bcnfRniC/t/ioE0 > =Z18R > -----END PGP SIGNATURE----- > --=-=-=-- > **************************************************************************** This email is for the addressee only. If you are not the addressee you should immediately delete this email from your system(s) and inform us. It may contain information that is confidential or otherwise privileged, and should not be copied or redistributed to recipients not originally specified as addressees without permission. Psychometric Research & Development Ltd. PO Box 1143, St Albans, Herts, AL1 9UT, UK Registered in England No. 1909571 Registered Office: 47 Holywell Hill, St Albans, Herts, AL1 1HD Phone: +44 (0)1727 841455 http://www.prd.co.uk ****************************************************************************