Re: Confused by certificates
2019-01-06 16:21 skrev John Cox: Hi I'm using OpenSMTPD 6.4.0 I'm (at least) a little confused as to which sort of certs I should put in the pki cert and ca conf file entries (I can cope with the key entry!) I have an apparently functional ACME setup using the default acme-client supplied with openbsd. This gives me 3 sorts of cert: 1) Bare cert 2) Chain cert 3) Full chain cert I have pki cert set to the bare cert, and ca set to the chain cert - is that correct? or should I use the full chain cert for the pki cert? I ask because whilst the setup mostly morks I do get odd logging like this: Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate verification succeeded on session 92975635cb3d86a4 Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery evpid=00fe7e3a0bda75cf from= to= rcpt= source="46.235.226.138" relay="212.54.58.11 (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 MXIN650 mail accepted for delivery ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta disconnected reason=quit messages=1 Where I seems to succeed with tls and then it says that it has failed. What is going on? Thanks John Cox You should use the full chain, so that any connecting computers can verify the full certificate chain. :) This is a snippet from my configuration: pki mx.helloworld.online cert "/etc/ssl/acme/mx.helloworld.online.fullchain.pem" pki mx.helloworld.online key "/etc/ssl/acme/private/mx.helloworld.online.key" Hope that helps in some way. -- Oscar -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Confused by certificates
On Sun, Jan 06, 2019 at 12:39:49PM -0500, Bryan Harris wrote: > I just use the regular cert, not the fullchain one. I followed the > directions from the relayd and httpd book (Let's Encrypt & acme-client). > > > pki $pki_host key?? "/etc/ssl/private/sally.org.il.key" > pki $pki_host cert? "/etc/ssl/sally.org.il.crt" I did too originally. However, I was seeing weird tls errors in the log after switching to 6.4 so i switched the cert to the fullchain.pem and they went away. mail$ doas egrep "TLS failed" /var/log/maillog mail$ Edgar > > > Bryan > > > On 1/6/2019 10:21 AM, John Cox wrote: > > Hi > > > > I'm using OpenSMTPD 6.4.0 > > > > I'm (at least) a little confused as to which sort of certs I should > > put in the pki cert and ca conf file entries (I can cope with the key > > entry!) > > > > I have an apparently functional ACME setup using the default > > acme-client supplied with openbsd. This gives me 3 sorts of cert: > > > > 1) Bare cert > > 2) Chain cert > > 3) Full chain cert > > > > I have pki cert set to the bare cert, and ca set to the chain cert - > > is that correct? or should I use the full chain cert for the pki cert? > > > > I ask because whilst the setup mostly morks I do get odd logging like > > this: > > > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting > > address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls > > ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 > > Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate > > verification succeeded on session 92975635cb3d86a4 > > Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery > > evpid=00fe7e3a0bda75cf from= > > to= rcpt= > > source="46.235.226.138" relay="212.54.58.11 > > (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 > > MXIN650 mail accepted for delivery > > ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" > > Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session > > 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain > > Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting > > address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net > > Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected > > Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta > > disconnected reason=quit messages=1 > > > > Where I seems to succeed with tls and then it says that it has failed. > > What is going on? > > > > Thanks > > > > John Cox > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Confused by certificates
I just use the regular cert, not the fullchain one. I followed the directions from the relayd and httpd book (Let's Encrypt & acme-client). pki $pki_host key "/etc/ssl/private/sally.org.il.key" pki $pki_host cert "/etc/ssl/sally.org.il.crt" Bryan On 1/6/2019 10:21 AM, John Cox wrote: Hi I'm using OpenSMTPD 6.4.0 I'm (at least) a little confused as to which sort of certs I should put in the pki cert and ca conf file entries (I can cope with the key entry!) I have an apparently functional ACME setup using the default acme-client supplied with openbsd. This gives me 3 sorts of cert: 1) Bare cert 2) Chain cert 3) Full chain cert I have pki cert set to the bare cert, and ca set to the chain cert - is that correct? or should I use the full chain cert for the pki cert? I ask because whilst the setup mostly morks I do get odd logging like this: Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate verification succeeded on session 92975635cb3d86a4 Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery evpid=00fe7e3a0bda75cf from= to= rcpt= source="46.235.226.138" relay="212.54.58.11 (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 MXIN650 mail accepted for delivery ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta disconnected reason=quit messages=1 Where I seems to succeed with tls and then it says that it has failed. What is going on? Thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Confused by certificates
Hi I'm using OpenSMTPD 6.4.0 I'm (at least) a little confused as to which sort of certs I should put in the pki cert and ca conf file entries (I can cope with the key entry!) I have an apparently functional ACME setup using the default acme-client supplied with openbsd. This gives me 3 sorts of cert: 1) Bare cert 2) Chain cert 3) Full chain cert I have pki cert set to the bare cert, and ca set to the chain cert - is that correct? or should I use the full chain cert for the pki cert? I ask because whilst the setup mostly morks I do get odd logging like this: Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate verification succeeded on session 92975635cb3d86a4 Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery evpid=00fe7e3a0bda75cf from= to= rcpt= source="46.235.226.138" relay="212.54.58.11 (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 MXIN650 mail accepted for delivery ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta disconnected reason=quit messages=1 Where I seems to succeed with tls and then it says that it has failed. What is going on? Thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org