[colug-432] qmail SSL using wrong certificate
Rick Troth
rmt at casita.net
Wed Jan 2 18:25:54 EST 2013
On Wed, Jan 2, 2013 at 5:23 PM, Robert Grimm <robertgrimm at gmail.com> wrote:
> Are there any qmail experts here? I'm trying to set up a new server with it
QMail expert, not me.
> on Debian 6. I had everything working with a self-signed certificate. I'm
> trying to install a new certificate from a certificate authority. I replaced
> the old .pem file with the new one in /var/qmail/control, like all the
> guides say to do. I made sure the ownership and permissions matched the old
> certificate. The problem now is that it is still using the old certificate.
SELinux in place?
(But that would more likely give you NO cert than the OLD cert.)
> It refuses to use the new one. Thunderbird complains that the server has an
> unknown identity and shows me the information from the old certificate. It
> acts like it isn't reading the certificate file, though I know it must be
> because it didn't start listening on the secure ports until I coped the
> local key into it. I'm using the certificate that I downloaded directly from
> digicert.com with the server's private key at the beginning. What am I doing
> wrong? How can I get it to use the correct certificate?
This is a flag: server's private key paired with something downloaded.
The certificate (self signed or otherwise) should have only the
*public* key, not the private.
I don't know DigiCert, but would expect what you download to be a
properly formed certificate.
How does the private key get there? Are you appending things? (or
was it just a typo?)
You can probably eyeball the cert they give you with ...
openssl asn1parse -inform pem -in /the/downloaded/PEM/file
You should see things you recognize, and also a bit string following
the "rsaEncryption" OID that roughly matches the key size. (Where a
1024 bit key will be 128 bytes of "modulus" plus a little for the
exponent and ASN.1 structure.) The X.509 stuff is a pain to learn.
(And is loads of bloat even after you start to recognize usable
patterns.)
I hope this helps.
> Robert Grimm
> Voice only: (614) 212-4625
> http://www.datablitz.net
> http://www.grimmphotography.com
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
--
-- R; <><
More information about the colug-432
mailing list