[Postfix-es] renovación de certificados y fallo de postfix

Arnau Bria arnau en emergetux.net
Mar Sep 4 13:10:54 CEST 2007 

Hola,

hace tiempo puse en marcha mi servidor de correo con sus certificados
para TLS, y hace un par de meses (o tres) éstos caducaron. Ahora quería
renovarlos, pero como los que utilicé no se si lo firmé yo con mi CA o
no, he decidido crear mi CA y unos nuevos certificados.

Así que sigo el documento:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
y tengo los 3 ficheros necesarios, los pongo en main.cf:
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem

y hago un reload de postfix, pero cuando trato de comunicarme con él:
afrodita misc # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 afrodita.emergetux.net ESMTP Postfix (2.3.6)
EHLO locahost
250-afrodita.emergetux.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
454 4.3.0 TLS not available due to local problem

(lo mismo de un cliente)

Veo en los logs:
Sep  4 12:35:28 afrodita postfix/smtpd[9348]: warning: cannot get private key from file /etc/ssl/postfix/newreq.pem
Sep  4 12:35:28 afrodita postfix/smtpd[9348]: warning: TLS library problem: 9348:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY:
Sep  4 12:35:28 afrodita postfix/smtpd[9348]: warning: TLS library problem: 9348:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

Pero no entiendo porque, ya que siguiendo el manual, añado -nodes en:
[...]
   } elsif (/^-newcert$/) {
            # create a certificate
            system ("$REQ -new -nodes -x509 -nodes -keyout newkey.pem -out newcert.pem $DAYS");
            $RET=$?;
            print "Certificate is in newcert.pem, private key is in newkey.pem\n"
        } elsif (/^-newreq$/) {
            # create a certificate request
            system ("$REQ -new  -nodes -keyout newkey.pem -out newreq.pem $DAYS");
            $RET=$?;
            print "Request is in newreq.pem, private key is in newkey.pem\n";
        } elsif (/^-newreq-nodes$/) {
            # create a certificate request
            system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
            $RET=$?;
            print "Request is in newreq.pem, private key is in newkey.pem\n";
[...]

y cuando genero en cacert.pem me obliga a poner una phrase:
(es una gentoo)

afrodita misc # ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.........................................................++++++
......................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
AQUI ME OBLIGA, pero es para la CA!!!

[...]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

AQUI LO DEJO EN BLANCO!!!!!

Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
9569:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok

Certificate Details:
[...]
Certificate is to be certified until Sep  3 11:02:02 2010 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

afrodita misc # ./CA.pl -newreq
Generating a 1024 bit RSA private key
...............................................................................................................++++++
....++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
[...]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

AQUI LO DEJO EN BLANCO!!!!

Request is in newreq.pem, private key is in newkey.pem

afrodita misc # ./CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok

[...]

Certificate is to be certified until Sep  3 11:02:32 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem


Alguien me puede ayudar a ver que estoy haciendo mal?

salu2,
Arnau

-- 
Arnau Bria
http://blog.emergetux.net
Bombing for peace is like fucking for virginity

Más información sobre la lista de distribución Postfix-es