[prev in list] [next in list] [prev in thread] [next in thread]
List: exim-users
Subject: Re: [exim] renewing the SSL certificate doesn't work
From: Viktor Dukhovni via Exim-users <exim-users () exim ! org>
Date: 2023-02-27 13:27:10
Message-ID: Y/yvrrsv2z2Iv38/ () straasha ! imrryr ! org
[Download RAW message or body]
On Mon, Feb 27, 2023 at 10:21:56AM +0000, Gary Stainburn via Exim-users wrote:
> generated-private-key.txt
>
> inflating: 27eff7f9e735cb3f.crt
> inflating: 27eff7f9e735cb3f.pem
> The exim.conf file includes
>
> tls_privatekey = /etc/pki/tls/certs/ringways.co.uk.key
> tls_certificate = /etc/pki/tls/certs/exim.pem
>
> I copied generated-private-key.txt to /etc/pki/tls/certs/ringways.co.uk.key
Correct.
> I copied 27eff7f9e735cb3f.crt to /etc/pki/tls/certs/exim.pem
I rather expect you should have copied the "27eff7f9e735cb3f.pem" file,
not the ".crt" file, which is likely a binary "DER" file.
To test whether the key is well-formed and matches the certificate:
pkeyfile=/some/where/generated-private-key.txt
certfile=/some/where/27eff7f9e735cb3f.pem
openssl pkey -in "$pkeyfile" -pubout -outform DER |
openssl dgst -sha256 -binary | xxd -p -c32
openssl x509 -in "$certfile" -noout -pubkey |
openssl pkey -pubin -pubout -outform DER |
openssl dgst -sha256 -binary | xxd -p -c32
Neither command should output any error messages, and the output of both
should be the same (SHA256 fingerprint of the DER public key).
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic