Loading ...
Sorry, an error occurred while loading the content.

289634Re: OpenSSL: TXT_DB error number 2

Expand Messages
  • Viktor Dukhovni
    Nov 24, 2012
    • 0 Attachment
      On Fri, Nov 23, 2012 at 07:55:28PM -0500, citb@... wrote:

      > > > SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
      > >
      > > Check the server logs.
      >
      > /var/log/mail.info:
      >
      > warning: cannot get RSA private key from file /etc/postfix/smtpd.pem:
      > disabling TLS support
      > warning: TLS library problem ... Expecting: ANY PRIVATE KEY

      There is no usable private key in your smtpd.pem configuration file.

      > I used these commands [0] to create smtpd.pem:
      >
      > # cd /etc/postfix
      > # tmp=$(mktemp smtpd.pem.XXXXXX)
      > # openssl req -x509 -new -newkey rsa:1280 -nodes -keyout /dev/stdout \
      > -days $((365 * 10)) -subj "/CN=mail.example.com" > $tmp
      > # chmod 0600 $tmp
      > # mv $tmp smtpd.pem
      >
      > Why Postfix fail to get a key from smtpd.pem?

      Either you botched the recipe, or the use of "-keyout stdout" is
      not a portable way of getting OpenSSL to output the key and
      certificate back-to-back. Did the shell commands in the recipe
      generate any error messages?

      When I run this and check the contents of the smtpd.pem file (did
      you ever look at the file contents? Why not?) I see:

      $ egrep '^-----' smtpd.pem
      -----BEGIN PRIVATE KEY-----
      -----END PRIVATE KEY-----
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----

      Which shows the expected key and certificate. Post the output for
      your system. You can alsways generate the key separately:

      # cd /etc/postfix
      # tmp=$(mktemp smtpd.pem.XXXXXX)
      # openssl genrsa -nodes -out "$tmp" 1280
      # openssl req -x509 -new -key "$tmp" \
      -days "$((365 * 10))" -subj "/CN=mail.example.com" >> "$tmp"
      # chmod 0600 "$tmp"
      # mv "$tmp" smtpd.pem

      Don't be so helpless. Take some initiative to follow the clues to their
      logical conclusions. If the software sees no key in the file, check the
      file and figure out what's there, and perhaps why.

      --
      Viktor.
    • Show all 21 messages in this topic