myserver.crt": disabling TLS support"

Dmt Ops Sat, 31 Jan 2015 13:46:34 -0800


I've built & set up Postfix 2.11.3 on Ubuntu 64.

Been reading up on list and decided to set up TLS AUTH using ccerts.


1st step, I created and installed self-singed certs & added these
smtpd_tls_* to config

    -o smtpd_use_tls=yes
    -o smtpd_tls_security_level=may
    -o smtpd_tls_CApath=/etc/ssl/certs
    -o smtpd_tls_cert_file="/etc/ssl/mail/myserver.crt"
    -o smtpd_tls_key_file="/etc/ssl/mail/myserver.key"

'postfix check' reports no errors and on 'start' neither do the logs.

When the server receives a message I get an error about the RSA cert

    Jan 31 12:37:54 mail postfix/smtpd[8337]: warning: cannot get RSA
certificate from file "/etc/ssl/mail/myserver.crt": disabling TLS support
    Jan 31 12:37:54 mail postfix/smtpd[8337]: warning: TLS library problem:
error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('"/etc/ssl/mail/myserver.crt"','r'):
    Jan 31 12:37:54 mail postfix/smtpd[8337]: warning: TLS library problem:
error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
    Jan 31 12:37:54 mail postfix/smtpd[8337]: warning: TLS library problem:
error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system
lib:ssl_rsa.c:722:

The cert & key exist with perms currently at

    ls -al /etc/ssl/mail/
        total 20K
        drwxr-xr-x 2 root postfix 4.0K Jan 31 11:21 ./
        drwxr-xr-x 3 root root    4.0K Jan 30 16:44 ../
        -rw-r--r-- 1 root postfix 1.8K Jan 31 11:21 server.crt
        -r--r----- 1 root postfix 1.7K Jan 31 11:21 server.key

The cert checks out OK

    openssl x509 -in /etc/ssl/mail/myserver.crt -text -noout
        Certificate:
            Data:
                Version: 1 (0x0)
                Serial Number: 12464773755243853735 (0xacfbc5b06eebf7a7)
            Signature Algorithm: sha256WithRSAEncryption
                Issuer: C=##, ST=##, L=###, O=##, OU=##/emailAddress=##,
CN=myCA
                Validity
                    Not Before: Jan 31 18:50:26 2015 GMT
                    Not After : Jan 28 18:50:26 2025 GMT
                Subject: C=##, ST=##, L=##, O=##, OU=##/emailAddress=##,
CN=mySERVER
                Subject Public Key Info:
                    Public Key Algorithm: rsaEncryption
                        Public-Key: (2048 bit)
                        Modulus:
                            ##:...:##
                        Exponent: 65537 (0x10001)
            Signature Algorithm: sha256WithRSAEncryption
                 ##:...:##

and my CA's crt is in the system-default certs path and hashed,

    ls -al /etc/ssl/certs | grep *myCA*
        lrwxrwxrwx 1 root root   25 Jan 31 10:59 b9754ce0.0 -> myCA.pem
        lrwxrwxrwx 1 root root   25 Jan 31 10:59 cd26ed18.0 -> myCA.pem
        lrwxrwxrwx 1 root root   58 Jan 31 10:59 myCA.pem ->
/usr/local/share/ca-certificates/myCA.crt

Telnet into the server shows

telnet ##.##.##.## 25
Trying ##.##.##.##...
Connected to ##.##.##.##.
Escape character is '^]'.
220 mail.##.com ESMTP.
EHLO myserver.com
250-mail.##.com
250-PIPELINING
250-SIZE 44040192
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

And if I test the equivalent crt & key in a local nginx there doesn't seem
to be any problem.

I don't see why Postfix doesn't like my crt.

What have I missed or broken?

on rcpt, error "cannot get RSA certificate from file "/etc/ssl/mail/myserver.crt": disabling TLS support"

Reply via email to