Mailing List Archive

present client certificate on server->server connection
Dear list

I try to set tls_certificate and tls_privatekey in remote smtp transport
in order to instruct exim to present a client certificate on a
connection made to another server. I get an error saying:

2018-06-01 00:22:34 1fOVxp-0005XP-S0 TLS error on connection to
ts6.checktls.com [104.131.23.181] (cert/key setup:
cert=/etc/ssl/letsencrypt/ente.limmat.ch/fullchain.pem
key=/etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem): Error while
reading file.

This error is rather clear but I am still unable to resolve the problem.

I tried as user Debian-exim to cat both files which worked. I tried to
reference a copy in /etc/exim4 which made the error go away, but remote
servers do not get to see my client cert – at least this is what
checktls.com Test Sender TLS reports:
[...]
====tls negotiation successful (cypher: AES128-GCM-SHA256)
client cert:
Subject Name: undefined
Issuer Name: undefined
~~> EHLO ente.limmat.ch
[...]

Since I use the same certificate and private key file for exim as a
server and that works well, I do not think the files do have a problem
(they are in fact symbolic links pointing to the latest
fullchain-XXX.pem and privatekey-XXX.pem files).

This is Exim 4.84 from Devuan Jessie.

What am I missing?

Thank you for your help.

Best regards, Adrian Zaugg.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: present client certificate on server->server connection [ In reply to ]
Am 01.06.2018 um 02:05 schrieb Adrian Zaugg via Exim-users:
> 2018-06-01 00:22:34 1fOVxp-0005XP-S0 TLS error on connection to
> ts6.checktls.com [104.131.23.181] (cert/key setup:
> cert=/etc/ssl/letsencrypt/ente.limmat.ch/fullchain.pem
> key=/etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem): Error while
> reading file.
>
> This error is rather clear but I am still unable to resolve the problem.
>
> Since I use the same certificate and private key file for exim as a
> server and that works well, I do not think the files do have a problem
> (they are in fact symbolic links pointing to the latest
> fullchain-XXX.pem and privatekey-XXX.pem files).
>
> This is Exim 4.84 from Devuan Jessie.
>
> What am I missing?
>

Access rights.

[root@s120 ~]# pathdiscover /etc/pki/tls/certs/exim.pem

'/etc/pki/tls/certs/exim.pem' translates to
'/etc/httpd/letsencrypt/certs/sXXX.resellerdesktop.de/fullchain-1523399871.pem'

  4294 Bytes  root/exim -rw-r----- : fullchain-1523399871.pem ( regular
file )         <--- EXIM Group
 12288 Bytes  root/exim drwxr-xr-x : sXXX.resellerdesktop.de  (
directory )          <--- EXIM Group
  4096 Bytes  root/root drwxr-xr-x : certs                 
                 ( directory )
  4096 Bytes  root/root drwxr-xr-x : letsencrypt                        
( directory )
  4096 Bytes  root/root drwxr-xr-x :
httpd                                  ( directory )
 12288 Bytes  root/root drwxr-xr-x :
etc                                    ( directory )

get your copy from here : https://github.com/Cyborgscode/pathdiscovery


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: present client certificate on server->server connection [ In reply to ]
Hi Marius

On 01.06.18 15:16, Cyborg via Exim-users wrote:
> Access rights.

This was my first guess and I checked it, as I wrote:
I tried as the user Debian-exim under which Exim runs to cat both files,
that worked. And Exim uses the same files as a server, so it can read them.

Does the code for the client certs not like symbolic links?

Thanks for helping!

Regards, Adrian.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: present client certificate on server->server connection [ In reply to ]
Hi,
Adrian Zaugg via Exim-users <exim-users@exim.org> (Fr 01 Jun 2018 02:05:04 CEST):
>
> I try to set tls_certificate and tls_privatekey in remote smtp transport
> in order to instruct exim to present a client certificate on a
> connection made to another server. I get an error saying:
>
> 2018-06-01 00:22:34 1fOVxp-0005XP-S0 TLS error on connection to
> ts6.checktls.com [104.131.23.181] (cert/key setup:
> cert=/etc/ssl/letsencrypt/ente.limmat.ch/fullchain.pem
> key=/etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem): Error while
> reading file.

> I tried as user Debian-exim to cat both files which worked. I tried to

Did you try to cat the full path with a working directory '/':

cd /
sudo -u Debian-exim cat /etc/ssl/letsencrypt/ente.limmat.ch/privkey.pem

? I guess, you've restrictions on some directory down to the file
Exim needs to read. All dirs need to have at least x-Permissions for the
Exim runtime user (Debian-exim in your case).


> reference a copy in /etc/exim4 which made the error go away, but remote
> servers do not get to see my client cert – at least this is what
> checktls.com Test Sender TLS reports:


We are at 4.91, I'm not sure, if Devuan does backport the security
fixes. Please check.
>
> What am I missing?

The certificate/key you use as a server are configured in the
main options tls_certificate and tls_privatekey. These options _do not
apply_ to the transport, where Exim acts as a client.
To have Exim use a cert as a client, you need to set the transport
options (having the same name).


begin transpors

remote_smtp:
driver = smtp
tls_certificate = …
tls_privatekey = …

PS: I do not know if and how your ACME client supports "hooks", actions
that are executed after getting a fresh certificate. I use "dehydrated"
as ACME client and do the following:

[once at setup]
mkdir /var/lib/exim4
touch /var/lib/exim4/ssl.pem
chown Debian-exim: /var/lib/exim4/ssl.pem

[hook, executed after getting the cert]
cat privkey.pem fullchain.pem > /var/lib/exim4/ssl.pem

Yes, just into one file. Read the doc about tls_certificate and
tls_privatekey, the latter doesn't need to be set if the file referenced
by tls_certificate contains the key and the cert. (order does not
matter).

And, no need to restart/reload Exim, as the certs are accessed on
demand.

HTH.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: present client certificate on server->server connection [ In reply to ]
After some testing I found:

tls_certificate and tls_privatekey in the transport section and in the
main configuration do not behave the same what concerns file access, at
least in 4.84_2:

In opposition to the transport section in the main configuration it
- works with symlinks along the way
- works with certs/keys outside exim's confdir
Both provoke the error "Error while reading file." for the option
appearing in the smtp transport.

(Furthermore checktls.com's TestSender page does not recognize a client
cert properly, it seems to always write "Subject Name: undefined").

Is this behaviour the same in 4.91+? Is there a reason for the option to
behave differently?

Thanks, Adrian.
Re: present client certificate on server->server connection [ In reply to ]
Adrian Zaugg via Exim-users <exim-users@exim.org> (So 03 Jun 2018 02:16:02 CEST):
>
> After some testing I found:
>
> tls_certificate and tls_privatekey in the transport section and in the
> main configuration do not behave the same what concerns file access, at
> least in 4.84_2:
>
> In opposition to the transport section in the main configuration it
> - works with symlinks along the way
> - works with certs/keys outside exim's confdir

In both sections it should behave the same way and I'm not aware of
anything that e.g. deals with Exim's config directory there.

In both cases the Exim runtime user (Debian-exim on Debian based
systems) should be used to access the files, and it should not matter
if the filenames referenced in the configuration are symbolic links or
plain files.

Did you do the check I suggested?

cd /
sudo -u Debian-exim openssl x509 -in <path to the cert> -noout -text
sudo -u Debian-exim openssl rsa -in <path to the key> -noout -text

??

> Both provoke the error "Error while reading file." for the option
> appearing in the smtp transport.

Do you use the 'user' option in your smtp transport that uses the
certificates.

> (Furthermore checktls.com's TestSender page does not recognize a client
> cert properly, it seems to always write "Subject Name: undefined").

This leads me to the above test (using openssl to check
the certs) again.

And, are your certs issued by a known (public) CA? I can imagine, that
checktls.com only accepts certs from a valid CA. Do you need to send the
intermediate certs? If you've put them into the cert file, in which
order did you put them?

Please note, the above paragraph contains more than 1 question :)

> Is this behaviour the same in 4.91+? Is there a reason for the option to
> behave differently?

If they behave differently, then there is no reason. I can check it, but
please, first, answer the above questions and run the tests I suggested.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -