[colug-432] qmail SSL using wrong certificate

Rick Troth rmt at casita.net
Wed Jan 2 18:25:54 EST 2013


On Wed, Jan 2, 2013 at 5:23 PM, Robert Grimm <robertgrimm at gmail.com> wrote:
> Are there any qmail experts here? I'm trying to set up a new server with it

QMail expert, not me.

> on Debian 6. I had everything working with a self-signed certificate. I'm
> trying to install a new certificate from a certificate authority. I replaced
> the old .pem file with the new one in /var/qmail/control, like all the
> guides say to do. I made sure the ownership and permissions matched the old
> certificate. The problem now is that it is still using the old certificate.

SELinux in place?
(But that would more likely give you NO cert than the OLD cert.)

> It refuses to use the new one. Thunderbird complains that the server has an
> unknown identity and shows me the information from the old certificate. It
> acts like it isn't reading the certificate file, though I know it must be
> because it didn't start listening on the secure ports until I coped the
> local key into it. I'm using the certificate that I downloaded directly from
> digicert.com with the server's private key at the beginning. What am I doing
> wrong? How can I get it to use the correct certificate?

This is a flag: server's private key paired with something downloaded.

The certificate (self signed or otherwise) should have only the
*public* key, not the private.

I don't know DigiCert, but would expect what you download to be a
properly formed certificate.

How does the private key get there?  Are you appending things?  (or
was it just a typo?)

You can probably eyeball the cert they give you with ...

        openssl asn1parse -inform pem -in /the/downloaded/PEM/file

You should see things you recognize, and also a bit string following
the "rsaEncryption" OID that roughly matches the key size.  (Where a
1024 bit key will be 128 bytes of "modulus" plus a little for the
exponent and ASN.1 structure.)  The X.509 stuff is a pain to learn.
(And is loads of bloat even after you start to recognize usable
patterns.)

I hope this helps.

> Robert Grimm
> Voice only: (614) 212-4625
> http://www.datablitz.net
> http://www.grimmphotography.com
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>



-- 
-- R;   <><


More information about the colug-432 mailing list