Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

TLS "certificate and the given key do not match"

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


steve at moonglade

Jul 8, 2013, 6:12 AM

Post #1 of 6 (113 views)
Permalink
TLS "certificate and the given key do not match"
I've had TLS running just fine with a self-signed certificate for the last ten years. Last night it finally expired, and I thought I'd pay for a $9 Comodo PositiveSSL certificate from Namecheap. After installing it, I can't connect and authenticate in order to send email. The error is:

2013-07-08 08:48:30 TLS error on connection from xxx.yyy.com ([192.168.1.12]) [xxx.xxx.xxx.xxx] (cert/key setup: cert=/etc/ssl/2013.smtp.moonglade.com.crt+ca key=/etc/ssl/2013.smtp.moonglade.com.key): The certificate and the given key do not match.

As near as I can tell, they do match. Running these commands produces the same hash:

$ openssl x509 -noout -modulus -in 2013.smtp.moonglade.com.crt | openssl md5
$ openssl rsa -noout -modulus -in 2013.smtp.moonglade.com.key | openssl md5

Note that there are intermediate certificates in the crt+ca file, ordered as my cert -> intermediate cert -> CA cert.

Additional data points: I purchased two other certificates at the same time to replace other uses of the expired self-signed cert, and those are working fine in Dovecot and Apache. I swapped one of those in to Exim and received the same error. A PositiveSSL wildcard certificate on a different server and domain, but the same version of Exim, works fine.

This is Exim 4.72-6+squeeze3 (Debian 6). I haven't had an opportunity to upgrade to Wheezy yet. Is this a known problem fixed in 4.80?

--
Steve Madsen <steve [at] moonglade>





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


graeme at graemef

Jul 9, 2013, 6:22 AM

Post #2 of 6 (105 views)
Permalink
Re: TLS "certificate and the given key do not match" [In reply to]
On 8 Jul 2013, at 14:12, Steve Madsen <steve [at] moonglade> wrote:
> I've had TLS running just fine with a self-signed certificate for the last ten years. Last night it finally expired, and I thought I'd pay for a $9 Comodo PositiveSSL certificate from Namecheap. After installing it, I can't connect and authenticate in order to send email. The error is:
>
> 2013-07-08 08:48:30 TLS error on connection from xxx.yyy.com ([192.168.1.12]) [xxx.xxx.xxx.xxx] (cert/key setup: cert=/etc/ssl/2013.smtp.moonglade.com.crt+ca key=/etc/ssl/2013.smtp.moonglade.com.key): The certificate and the given key do not match.

That comes from the GnuTLS handling code; I would surmise that the permissions on either the certificate or key are too strict and prevent Exim from reading it/them.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


steve at moonglade

Jul 9, 2013, 6:34 AM

Post #3 of 6 (98 views)
Permalink
Re: TLS "certificate and the given key do not match" [In reply to]
On 2013-07-09 13:22, Graeme Fowler wrote:
> That comes from the GnuTLS handling code; I would surmise that the permissions on either the certificate or key are too strict and prevent Exim from reading it/them.

I don't think that's the case here. The permissions were wrong at one time and the error was different. For both the self-signed (working) and issued (not working) certificate/key files, the key is 440 root:Debian-exim, the certificate 644 root:root.

--
Steve Madsen <steve [at] moonglade>





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


steve at moonglade

Jul 9, 2013, 7:58 AM

Post #4 of 6 (99 views)
Permalink
Re: TLS "certificate and the given key do not match" [In reply to]
On 2013-07-09 13:22, Graeme Fowler wrote:
> That comes from the GnuTLS handling code; I would surmise that the permissions on either the certificate or key are too strict and prevent Exim from reading it/them.

For anyone that runs across this thread in the future, I have solved the problem and is it ever maddening.

GNU TLS was choking on the contents of the certificate file because pasting them from an email added an extra space at the end of each line. I removed the spaces and Exim is happily using the certificate and key.

Graeme, thanks for the push towards GNU TLS. There was just enough chatter about how GNU TLS is more strict than OpenSSL for me to ultimately discover the root cause.

--
Steve Madsen <steve [at] moonglade>





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dwmw2 at infradead

Jul 22, 2013, 4:02 AM

Post #5 of 6 (81 views)
Permalink
Re: TLS "certificate and the given key do not match" [In reply to]
On Tue, 2013-07-09 at 10:58 -0400, Steve Madsen wrote:
> For anyone that runs across this thread in the future, I have solved
> the problem and is it ever maddening.
>
> GNU TLS was choking on the contents of the certificate file because
> pasting them from an email added an extra space at the end of each
> line. I removed the spaces and Exim is happily using the certificate
> and key.
>
> Graeme, thanks for the push towards GNU TLS. There was just enough
> chatter about how GNU TLS is more strict than OpenSSL for me to
> ultimately discover the root cause.

Have you reported this as a bug upstream to GnuTLS? If OpenSSL accepts
these certs then it would seem sensible for GnuTLS to do so.

If *not*, then you end up with GnuTLS being suboptimal as a replacement
for OpenSSL for projects like Exim, because it doesn't let us remain
backward-compatible with existing setups.

Although you could also work out where the extra space came from, and
ensure you file a bug for that too. Cutting and pasting from email
shouldn't corrupt the contents.

--
dwmw2
Attachments: smime.p7s (5.61 KB)


nmav at gnutls

Jul 22, 2013, 1:28 PM

Post #6 of 6 (74 views)
Permalink
Re: TLS "certificate and the given key do not match" [In reply to]
On Mon, Jul 22, 2013 at 1:02 PM, David Woodhouse <dwmw2 [at] infradead> wrote:
>> Graeme, thanks for the push towards GNU TLS. There was just enough
>> chatter about how GNU TLS is more strict than OpenSSL for me to
>> ultimately discover the root cause.
> Have you reported this as a bug upstream to GnuTLS? If OpenSSL accepts
> these certs then it would seem sensible for GnuTLS to do so.
> If *not*, then you end up with GnuTLS being suboptimal as a replacement
> for OpenSSL for projects like Exim, because it doesn't let us remain
> backward-compatible with existing setups.

Hello,
I think that issue should be applicable to the 2.12.x series of
gnutls, not the 3.x which has quite several compatibility
improvements.

regards,
Nikos

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.