[Postfix-es] Ayuda con tls.
Pablo Braulio
brulics en gmail.com
Mie Nov 16 20:25:35 CET 2005
Hola.
Tengo problemas con la conexión tls de postfix. Esto me ocurre desde que he he
vuelto a generar un certificado digital pues me caducó.
Estoy usando el siguiente manual:
http://bulma.net/body.phtml?nIdNoticia=2163
Ya me dió problemas al configurarlo, por novato, y ahora parece que no hay
tregua.
Teniendo instalado openssl. Genero la entidad certificadora, el certificado y
lo firmo. Os pego lo que he hecho.
Genero la entidad certificadora:
----------------------------------------------
/usr/lib/ssl/misc# ./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...................................++++++
.........................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [VALENCIA]:
Localidad []:VALENCIA
Organization Name (eg, company) [xxxxxxx]:
Organizational Unit Name (eg, section) []:Departamento de Sistemas
Common Name (eg, YOUR name) []:Pablo Braulio
Email Address []:xxxx en xxxxx.xx
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <--- Aquí lo le pongo nada.
An optional company name []: <-- Aquí tampoco
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fadfa dsdfdf fa adfa
Validity
Not Before: Nov 16 19:07:48 2005 GMT
Not After : Nov 15 19:07:48 2008 GMT
Subject:
countryName = ES
stateOrProvinceName = VALENCIA
organizationName = XXX SSSSSS
organizationalUnitName = Departamento de Sistemas
commonName = Pablo Braulio
emailAddress = xxxx en ssssss.sss
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DC:B1:E3:A4:05:0E:0A:B8:FF:63:48:3A:A8:06:08:31:94:E1:33:9E
X509v3 Authority Key Identifier:
keyid:DC:B1:E3:A4:05:0E:0A:B8:FF:63:48:3A:A8:06:08:31:94:E1:33:9E
Certificate is to be certified until Nov 15 19:07:48 2008 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
----------------------------------------
Genero el certificado.
--------------------------------------------------------
bruliweb:/usr/lib/ssl/misc# ./CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
.......................................................................................
++++++
....................++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [VALENCIA]:
Localidad []:VALENCIA
Organization Name (eg, company) [XXXXXXX]:
Organizational Unit Name (eg, section) []:Departamento de Sistemas
Common Name (eg, YOUR name) []:Pablo Braulio
Email Address []:xxx en xxxxx.ss
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- vuelvo a no ponerle nada.
An optional company name []: <-- tampoco
Request is in newreq.pem, private key is in newkey.pem
Y lo firmo:
--------------------------------------------
bruliweb:/usr/lib/ssl/misc# ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
9493:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You
must type in 4 to 8191 characters
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
dfadfdf f dadsfd adfafa
Validity
Not Before: Nov 16 19:08:53 2005 GMT
Not After : Nov 16 19:08:53 2006 GMT
Subject:
countryName = ES
stateOrProvinceName = VALENCIA
localityName = VALENCIA
organizationName = XXXXXX
organizationalUnitName = Departamento de Sistemas
commonName = Pablo Braulio
emailAddress = dddd en dddd.dd
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DC:94:1A:81:1C:5A:40:60:9B:2E:1D:D5:5D:EA:FA:FB:20:7F:70:6B
X509v3 Authority Key Identifier:
keyid:DC:B1:E3:A4:05:0E:0A:B8:FF:63:48:3A:A8:06:08:31:94:E1:33:9E
Certificate is to be certified until Nov 16 19:08:53 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
-------------------------------------------------
Lo copio en los directorios:
----------------------------------
mkdir /etc/postfix/ssl
cp demoCA/cacert.pem /etc/postfix/ssl/
cp newcert.pem /etc/postfix/ssl/
cp newreq.pem /etc/postfix/ssl/
chown root /etc/postfix/ssl/newreq.pem
chmod 400 /etc/postfix/ssl/newreq.pem
---------------------------------
Modifico /etc/postfix/main.cf (que ya lo tenía).
---------------------------------
smtpd_use_tls = yes
# smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
----------------------------------
Y al hacer un telnet para probar:
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 bruliweb.aldiagestion.com ESMTP Postfix (Debian/GNU)
EHLO localhost
250-bruliweb.aldiagestion.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250 8BITMIME
STARTTLS
454 TLS not available due to local problem
-------------------------------------
Y en los logs me encuentro esto:
--------------------------------------
Nov 16 20:24:01 bruliweb postfix/smtpd[9682]: initializing the server-side TLS
engine
Nov 16 20:24:01 bruliweb postfix/smtpd[9682]: warning: cannot get private key
from file /etc/postfix/ssl/newreq.pem
Nov 16 20:24:01 bruliweb postfix/smtpd[9682]: warning: TLS library problem:
9682:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: ANY PRIVATE KEY:
Nov 16 20:24:01 bruliweb postfix/smtpd[9682]: warning: TLS library problem:
9682:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:669:
Nov 16 20:24:01 bruliweb postfix/smtpd[9682]: cannot load RSA certificate and
key data
Nov 16 20:24:01 bruliweb postfix/smtpd[9682]: connect from
localhost[127.0.0.1]
-------------------------------
¿Alguien podría ayudarme a solucionar esto?. No entiendo que me falla.
--
Saludos.
Pablo.
Fingerprint 5607 40CF 45EF D490 B794 5056 D7B2 C3DC ABF1 CE49
Jabber: bruli(at)myjabber(dot)net
------------ próxima parte ------------
Se ha borrado un mensaje que no está en formato texto plano...
Nombre : no disponible
Tipo : application/pgp-signature
Tamaño : 189 bytes
Descripción: no disponible
Url : http://lists.wl0.org/pipermail/postfix-es/attachments/20051116/ac5db5f1/attachment.bin
Más información sobre la lista de distribución Postfix-es