Mailing List Archive: renewing the SSL certificate doesn't work

renewing the SSL certificate doesn't work

Feb 27, 2023, 2:21 AM

Post #1 of 6 (265 views)

Hello everyone.

I've just purchased a new SSL certificate as my previous one expired
last night. As I got a new SHA-2 certificate, it came with a new
private key and a new bundle.

The files that were generated were:

generated-csr.txt
generated-private-key.txt

The files I received are:

inflating: sf_bundle-g2-g1.crt
inflating: 27eff7f9e735cb3f.crt
inflating: 27eff7f9e735cb3f.pem

The exim.conf file includes

tls_privatekey = /etc/pki/tls/certs/ringways.co.uk.key
tls_certificate = /etc/pki/tls/certs/exim.pem

I copied generated-private-key.txt to /etc/pki/tls/certs/ringways.co.uk.key
I copied 27eff7f9e735cb3f.crt to /etc/pki/tls/certs/exim.pem

However, when I install the new files I get SSL errors.

TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14]
(SSL_CTX_use_PrivateKey_file
file=/etc/pki/tls/certs/ringways.co.uk.key): error:0906D06C:PEM
routines:PEM_read_bio:no start line

I seem to remember in the past that I had to merge the certificate with
the bundle, so I did that too, but I still get the above error.

Can anyone point me at the best instructions on how to do this correctly.

Cheers

Gary

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: renewing the SSL certificate doesn't work [ In reply to ]

exim-users at exim

Feb 27, 2023, 2:52 AM

Post #2 of 6 (265 views)

Permalink

On 27/02/2023 10:21, Gary Stainburn via Exim-users wrote:
>
> TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): error:0906D06C:PEM routines:PEM_read_bio:no start line
>
> I seem to remember in the past that I had to merge the certificate with the bundle, so I did that too, but I still get the above error.

The error notes specifically the private-key file, so the bundle
is not the issue.

What does the file look like (do NOT post the whole thing publically!) ?

The first couple of line should be, for the expected format, something like

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqh...

and there should be a line

-----END PRIVATE KEY-----

after the block of ascii-ized binary data.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: renewing the SSL certificate doesn't work [ In reply to ]

exim-users at exim

Feb 27, 2023, 3:15 AM

Post #3 of 6 (265 views)

Permalink

Hi Jeremy,

I did suspect this, but the private key is in the correct format.

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfHGSy2Xa86a6u
[24 extra lines]
teQhR4s9S0uGkQ5UJMz51JY=
-----END PRIVATE KEY-----

Also, Carrying out the same process for the Apache server on my web
server, using the same certificate, bundle, and private key has worked fine.

Gary

On 27/02/2023 10:52, Jeremy Harris via Exim-users wrote:
> On 27/02/2023 10:21, Gary Stainburn via Exim-users wrote:
>>
>> TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14]
>> (SSL_CTX_use_PrivateKey_file
>> file=/etc/pki/tls/certs/ringways.co.uk.key): error:0906D06C:PEM
>> routines:PEM_read_bio:no start line
>>
>> I seem to remember in the past that I had to merge the certificate
>> with the bundle, so I did that too, but I still get the above error.
>
> The error notes specifically the private-key file, so the bundle
> is not the issue.
>
> What does the file look like (do NOT post the whole thing publically!) ?
>
>
> The first couple of line should be, for the expected format, something
> like
>
>    -----BEGIN PRIVATE KEY-----
>    MIIEvAIBADANBgkqh...
>
> and there should be a line
>
>    -----END PRIVATE KEY-----
>
> after the block of ascii-ized binary data.
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: renewing the SSL certificate doesn't work [ In reply to ]

exim-users at exim

Feb 27, 2023, 3:30 AM

Post #4 of 6 (265 views)

Permalink

On 27/02/2023 11:15, Gary Stainburn via Exim-users wrote:
> I did suspect this, but the private key is in the correct format.

Try running Exim with debug; does it give any further hint?

Check the file ownership & permissions, also.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: renewing the SSL certificate doesn't work [ In reply to ]

exim-users at exim

Feb 27, 2023, 5:13 AM

Post #5 of 6 (265 views)

Permalink

Gary Stainburn via Exim-users <exim-users@exim.org> (Mo 27 Feb 2023 11:21:56 CET):
>
> However, when I install the new files I get SSL errors.
>
> TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14]
> (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key):
> error:0906D06C:PEM routines:PEM_read_bio:no start line

Try

openssl rsa -in /etc/pki/tls/certs/ringways.co.uk.key -noout

If should read the key, if it works, try the same as the Exim runtime
user

sudo -u $(exim -n -bP exim_user) openssl rsa -in /etc/pki/tls/certs/ringways.co.uk.key -noout

both commands must not produce any error message, in fact, they must not
produce any output.

--
Heiko

Re: renewing the SSL certificate doesn't work [ In reply to ]

exim-users at exim

Feb 27, 2023, 5:27 AM

Post #6 of 6 (265 views)

Permalink

On Mon, Feb 27, 2023 at 10:21:56AM +0000, Gary Stainburn via Exim-users wrote:

> generated-private-key.txt
>
> inflating: 27eff7f9e735cb3f.crt
> inflating: 27eff7f9e735cb3f.pem

> The exim.conf file includes
>
> tls_privatekey = /etc/pki/tls/certs/ringways.co.uk.key
> tls_certificate = /etc/pki/tls/certs/exim.pem
>
> I copied generated-private-key.txt to /etc/pki/tls/certs/ringways.co.uk.key

Correct.

> I copied 27eff7f9e735cb3f.crt to /etc/pki/tls/certs/exim.pem

I rather expect you should have copied the "27eff7f9e735cb3f.pem" file,
not the ".crt" file, which is likely a binary "DER" file.

To test whether the key is well-formed and matches the certificate:

pkeyfile=/some/where/generated-private-key.txt
certfile=/some/where/27eff7f9e735cb3f.pem

openssl pkey -in "$pkeyfile" -pubout -outform DER |
openssl dgst -sha256 -binary | xxd -p -c32

openssl x509 -in "$certfile" -noout -pubkey |
openssl pkey -pubin -pubout -outform DER |
openssl dgst -sha256 -binary | xxd -p -c32

Neither command should output any error messages, and the output of both
should be the same (SHA256 fingerprint of the DER public key).

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Mailing List Archive

Mailing List Archive

Attached Files: