TLS: Error while reading file
I'm setting up a new server with Debian 8. Exim4 is preinstalled and I'm trying to get TLS working.
I have copied the snakeoil key and cert into the /etc/exim4 folder and set the correct permissions and ownership:
-r--r----- 1 root Debian-exim 1704 Sep 28 20:01 ssl-cert-snakeoil.key
-r--r----- 1 root Debian-exim 1257 Sep 28 20:01 ssl-cert-snakeoil.pem
I have configured these in Exim4
From a second server I then try and connect to SMTP and start TLS like this:
root@second: ~# telnet mynewserver.net.au 25
Trying xxx.xxx.xxx.xxx...
Connected to mynewserver.net.au.
Escape character is '^]'.
220 mynewserver.net.au ESMTP Exim 4.84_2 Wed, 28 Sep 2016 20:12:12 +1000
ehlo second
250-mynewserver.net.au Hello second [xxx.xxx.xxx.xxx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
454 TLS currently unavailable
And the debug log from mynewserver looks like this:
665 SMTP>> 250-mynewserver.net.au Hello second [xxx.xxx.xxx.xxx]
665 250-SIZE 52428800
665 250-8BITMIME
665 250-PIPELINING
665 250-STARTTLS
665 250 HELP
665 SMTP<< STARTTLS
665 initialising GnuTLS as a server
665 GnuTLS global init required.
665 initialising GnuTLS server session
665 Expanding various TLS configuration options for session credentials.
665 certificate file = '/etc/exim4/ssl-cert-snakeoil.pem'
665 key file = '/etc/exim4/ssl-cert-snakeoil.key'
665 LOG: MAIN
665 TLS error on connection from second (second) [xxx.xxx.xxx.xxx] (cert/key setup: cert='/etc/exim4/ssl-cert-snakeoil.pem' key='/etc/exim4/ssl-cert-snakeoil.key'): Error while reading file.
665 SMTP>> 454 TLS currently unavailable
I have checked the certificates, that the key and the certificate match, as in the following test where the modulus is the same:
root@mynewserver: exim4# openssl x509 -noout -modulus -in ssl-cert-snakeoil.pem | openssl md5
(stdin)= 4d56fe03bcdc3103788344d0d7a2eb8d
root@mynewserver: exim4# openssl x509 -noopenssl rsa -noout -modulus -in ssl-cert-snakeoil.key | openssl md5
(stdin)= 4d56fe03bcdc3103788344d0d7a2eb8d
I also configured the new server to allow Debian-exim to login, logged in and was able to view the certificate files without problem.
All of my research has identified problems with the certificates being readable, having correct content, matching up, and having the correct permissions, or being specified in the exim4 configuration correctly. I've covered all of those areas yet still it fails.
Do you have any idea where I should check next?
Solution 1:
It is a literal meaning - it really can not read the [certificate] file. I tried adding various entries to my configuration file like:
tls_certificate=xxx.crt
tls_privatekey=xxx.key
and
MAIN_TLS_CERTIFICATE=xxx.crt
MAIN_TLS_PRIVATEKEY=xxx.key
But none of these appear to work. By default exim4 looks for CONFIGDIR/exim.crt and CONFIGDIR/exim.key (CONFIGDIR is for my /etc/exim4)
So, copy your certificate and key to these two file names. Remove all of the configuration entries you previously added, so that exim4 will look for the default entries without any distraction. Ensure you certificate and key are readable by exim4:
- Set the group to Debian-exim (chrgrp Debian-exim exim.*)
- Set the group read permission on (chmod g+r exim.*)
- Restart your exim4
- I then used checktls.com to ensure the TLS and certificate were working correctly.
HTH