Re: dovecot again/still

[steve%prd.co.uk@localhost (Steve Blinkhorn)]

I Thought for a mom,ent that you had put your finger on it, the oldest
Unix gotcha of all, bad permissions.

But no - I shifted the certificate and key into
/usr/pkg/etc/openssl/certs and private, and now the error message
takes this form:

Oct 23 17:34:30 body postfix/smtpd[20176]: warning: cannot get private key from
file /usr/pkg/etc/openssl/certs/myserver.pem
Oct 23 17:34:30 body postfix/smtpd[20176]: warning: TLS library problem: 20176:e
rror:0906D06C:PEM routines:PEM_read_bio:no start 
line:/home/builds/ab/netbsd-4-0-1-RELEASE/src/crypto/dist/openssl/crypto/pem/pem_lib.c:647:Expecting:
 ANY PRIVATE KEY:
Oct 23 17:34:30 body postfix/smtpd[20176]: warning: TLS library problem: 20176:e
rror:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEMlib:/home/builds/ab/n
etbsd-4-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_rsa.c:669:
Oct 23 17:34:30 body postfix/smtpd[20176]: cannot load RSA certificate and key d
ata

The bit I don't get is that the private key is specified to be in the
private subdirector, not the certs subdirectory, and it is specified
as having the extension .key, not .pem.   I used openssl asn1parse as
you suggested, and the key and certificate both make plausible
reading.

Permissions on the subdirectories are 0755.

Have I got faulty libraries, faulty data, or both?

--
Steve Blinkhorn <steve%prd.co.uk@localhost>

You wrote:
> 
> --=-=-=
> Content-Type: text/plain
> 
> 
> steve%prd.co.uk@localhost (Steve Blinkhorn) writes:
> 
> > This is still a live issue - apologies, I missed your post last week.
> >
> > Here are the file specs from my /etc/postfix/main.cf:
> >
> > smtpd_tls_cert_file = /etc/ssl/certs/myname.pem
> > smtpd_tls_key=/etc/ssl/private/myname.key
> >
> >
> > It's clear from the runtime error message that the certificate is not,
> > in effect, being read.   But the current file names and contents
> > produce the fewest errors.   Could it be the .pem file extension, or
> > is there a hard-coded location for the certificate and ley that I need
> > to conform too?
> >
> > Or could it be that the content of the files is wrong?   I found
> > myself going round in circles and making no progres.
> >
> > This is NetBSD 4.01, with the SSL libraries updated to the latest
> > version for that release.
> 
> I put them in /usr/pkg/etc/postfix.  Of course the snmp daemon needs to
> be able to read the files - /etc/openssl/private on my systems are
> root-owned 700.
> 
> My key file is key.pem and starts like:
> 
> -----BEGIN RSA PRIVATE KEY-----
> 
> The certificate file is post.pem and starts
> 
> -----BEGIN CERTIFICATE-----
> 
> and both can be read with 'openssl ans1parse'.
> 
> --=-=-=
> Content-Type: application/pgp-signature
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (NetBSD)
> 
> iEYEARECAAYFAlJn8yAACgkQ+vesoDJhHiVi0gCfXu2AGdui5Sg+nd+5mnutBhkV
> aN4An3TgjNoqysvs7bcnfRniC/t/ioE0
> =Z18R
> -----END PGP SIGNATURE-----
> --=-=-=--
> 



****************************************************************************
This email is for the addressee only.   If you are not the addressee
you should immediately delete this email from your system(s) and
inform us.   It may contain information that is confidential or
otherwise privileged, and should not be copied or redistributed to
recipients not originally specified as addressees without permission.

Psychometric Research & Development Ltd.
PO Box 1143, St Albans, Herts, AL1 9UT, UK
Registered in England No. 1909571
Registered Office: 47 Holywell Hill, St Albans, Herts, AL1 1HD
Phone: +44 (0)1727 841455
http://www.prd.co.uk
****************************************************************************