When I try using the chain.pem generated by letsencrypt, I get the following error:
emailrelay: error: ssl error: SSL_CTX_use_certificate_chain_file
emailrelay: exception: ssl error: SSL_CTX_use_certificate_chain_file
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The rather terse error message is telling you that the OpenSSL function SSL_CTX_use_certificate_chain_file() failed, with the implication that you should consult the OpenSSL documentation for possible failure reasons. Unfortunately the OpenSSL documentation is not brilliant, so google or stackoverflow might be a better bet.
Note that your pem file should contain the complete certificate chain to get to a trusted root CA, ordered from leaf to root, followed by your private key. So for let's encrypt there should be two BEGIN CERTIFICATE sections, followed by one BEGIN RSA PRIVATE KEY section (or equivalent). The first certificate section is the let's encrypt certificate for your public key, and the second certificate section is digicert's certificate for let's encrypt's public key (assuming they still use them as their CA). The OpenSSL library (presumably) trusts digicert as a root CA because their certificate is pre-installed in some trusted part of the filesystem (/etc/ssl/certs).
You should experiment with the openssl tools rather than emailrelay, because emailrelay passes all responsibility for TLS authentication straight through to OpenSSL. In particular, try "openssl s_server", "openssl s_client" and "openssl x509". The x509 tool can be used to dump out sections of a pem file in readable form, using "-in ... -text". Use "man s_server", "man s_client" and "man x509" (on linux) for more details.
The "easy-rsa" script, which is just a wrapper around the openssl tools, is also a nice way of experimenting with certificates.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've had no problem using a self signed certificate with emailrelay in the past ... I'm just trying to set up emailrelay to use an 'official' certificate.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Actually, a bit more digging and I think I determined that the issue might be related to permissions on the certificate file directory structure.
I changed the permissions on the directories, and now get this error when I try to start emailrelay with the fullchain.pem file from letsencrypt:
emailrelay: error: Main::Run::run: ssl error: SSL_CTX_use_RSAPrivateKey_file
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm glad it's working now, but there is no way to specify the two parts separately. (It's easy to do when calling the OpenSSL API, but it would need a disproportionate amount of plumbing to pass through from the command-line.)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When I try using the chain.pem generated by letsencrypt, I get the following error:
emailrelay: error: ssl error: SSL_CTX_use_certificate_chain_file
emailrelay: exception: ssl error: SSL_CTX_use_certificate_chain_file
The rather terse error message is telling you that the OpenSSL function SSL_CTX_use_certificate_chain_file() failed, with the implication that you should consult the OpenSSL documentation for possible failure reasons. Unfortunately the OpenSSL documentation is not brilliant, so google or stackoverflow might be a better bet.
Note that your pem file should contain the complete certificate chain to get to a trusted root CA, ordered from leaf to root, followed by your private key. So for let's encrypt there should be two BEGIN CERTIFICATE sections, followed by one BEGIN RSA PRIVATE KEY section (or equivalent). The first certificate section is the let's encrypt certificate for your public key, and the second certificate section is digicert's certificate for let's encrypt's public key (assuming they still use them as their CA). The OpenSSL library (presumably) trusts digicert as a root CA because their certificate is pre-installed in some trusted part of the filesystem (/etc/ssl/certs).
You should experiment with the openssl tools rather than emailrelay, because emailrelay passes all responsibility for TLS authentication straight through to OpenSSL. In particular, try "openssl s_server", "openssl s_client" and "openssl x509". The x509 tool can be used to dump out sections of a pem file in readable form, using "-in ... -text". Use "man s_server", "man s_client" and "man x509" (on linux) for more details.
The "easy-rsa" script, which is just a wrapper around the openssl tools, is also a nice way of experimenting with certificates.
I know that the certificate I'm using is valid ... as it's used in a website (with the same hostname that emailrelay is using).
According to these docs, https://certbot.eff.org/docs/using.html#where-are-my-certificates, the certificate file I'm using includes all the certificates and is the one used with apache's SSLCertificateFile.
I've had no problem using a self signed certificate with emailrelay in the past ... I'm just trying to set up emailrelay to use an 'official' certificate.
Actually, a bit more digging and I think I determined that the issue might be related to permissions on the certificate file directory structure.
I changed the permissions on the directories, and now get this error when I try to start emailrelay with the fullchain.pem file from letsencrypt:
emailrelay: error: Main::Run::run: ssl error: SSL_CTX_use_RSAPrivateKey_file
You need more than the certificate chain in the pem file, you need to add your private key as well (as described above).
Ah! I didn't catch the private key reference.
I catted the full chain & private key into a file and it works fine.
I don't suppose there's a way to specify the cert & private key separetely?
I'm glad it's working now, but there is no way to specify the two parts separately. (It's easy to do when calling the OpenSSL API, but it would need a disproportionate amount of plumbing to pass through from the command-line.)
I figured as much.
I created a script in the certificate renewal process that will append the two together into a new file and restart emailrelay.
Thanks for your help!
david