# postfix / cert / problems [solved]

## Teardrop

hi

since a recent upgrade of postfix i have the following error:

 *Quote:*   

> Jun  2 11:54:29 [postfix/smtpd] initializing the server-side TLS engine
> 
> Jun  2 11:54:29 [postfix/smtpd] warning: cannot get private key from file /etc/postfix/newreq.pem
> 
> Jun  2 11:54:29 [postfix/smtpd] warning: TLS library problem: 7139:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:$
> ...

 

i already tried to re-emerge openssl, make new certs and delete the old ones but still the same problem.

any suggestion what else i can do that postfix can read those certs again?

thank you very much.

Teardrop

PS: I searched the forum and found somewho who posted a solution with a external CA-Organisation but i would prefer to to it the virtual mail howto-way.Last edited by Teardrop on Mon Nov 20, 2006 9:39 pm; edited 1 time in total

----------

## Shazam

are you using selfsigned certificates? how important is it to you, using them, in case you do? or do you just use the ones, delivered by emerging postfix?, maybe you could post the part of your main.conf, where you set up your TLS support

----------

## Teardrop

i always used the selfsigned ones. made my own as written in the virtual mail howto. it worked for years now. the most importent thing atm is that it works, after that i want my own again.

main.cf:

 *Quote:*   

> 
> 
> smtpd_sasl_auth_enable = yes
> 
> smtpd_sasl2_auth_enable = yes
> ...

 

it always worked so i think it is something about the certificates themself.

----------

## Shazam

if you just need it working, then simply use the certificates under /etc/ssl/postfix/

so my TLS portion of the main.cf looks as following:

```

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

i got them by this ([https://forums.gentoo.org/viewtopic-t-56633-highlight-postfix+howto+guide.html) howto, i don't know if you already know it.

you also said, you made new certs, and remerged ssl. did you, simply remerge it, or did you unmerge and the emerge it again? have you tried unmerging ssl, then clean out /etc/ssl ? i'm not quite sure if a simple remerge updates everything there, just a guess, and probably not the professional solution, but maybe it works.

----------

## Teardrop

yeah you are right. i just re-emerged it. i will try the unmerge and emerge thing, or else the certs from postfix. thanks for the tips. will post my results.

Teardrop

----------

## Teardrop

i deleted and re-emerge openssl and postfix now and i am using the postfix certs but there is an error too:

 *Quote:*   

>  TLS library problem: 26179:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

 

if i try something like

 *Quote:*   

> openssl s_client -starttls smtp -CApath /etc/postfix/certs/ -connect localhost:25

 

everything seams to be working fine except that some where it mentions

 *Quote:*   

> Verify return code: 7 (certificate signature failure)
> 
> 

 

remember that these are the postfix's own certs... nothing changed!

trying to make my own ones again but have not much hope. any help appreciated.

Teardrop

----------

## ProPilot

I have the same problem.

Anyone have a solution?

Tom

----------

## magic919

Which Postfix versions are involved here?  Before upgrade and now.

----------

## ProPilot

I have mail_version = 2.2.5

Tom

----------

## magic919

 *ProPilot wrote:*   

> I have mail_version = 2.2.5
> 
> Tom

 

And what did you have before?

----------

## ProPilot

2.2.5

Tom

----------

## mach.82

The problem is that if you are following the Virtual Mailhosting System with Postfix Guide (the Guide) at http://www.gentoo.org/doc/en/virt-mail-howto.xml. Section 5 under the title Code Listing 5.1: Making ssl certicates is outdated. Here is a quick fix of what you have to do:

To start all over again, you can safely delete the directory /etc/ssl/misc/demoCA and remove all the certificates files in /etc/ssl/misc:

```
cd /etc/ssl/misc

rm r ./demoCA

rm *.pem

rm new.cert.*

```

Example how to change the default values in /etc/ssl/opwnssl.cnf:

default_days	= 3652 (this will give you a ten-year certificate)

countryName_default		= CA

stateOrProvinceName_default	= Ontario

localityName_default		= Toronto

0.organizationName_default	= example.com

organizationalUnitName_default	= Root CA Validation Authority

commonName_default		= example.com Root CA Validation Authority

emailAddress_default		= admin@example.com

You can now follow the Guide until you get to the command line:

```
cp newreq.pem /etc/postfix

```

You must replace this line with the following since newreq.pem created by ./CA.pl newreq no longer include the private key (anyone knows why?):

```
cat newkey.pem newreq.pem > /etc/postfix/newreq.pem

```

You can now follow the Guide again and complete your installation.

Cheers!

----------

## ProPilot

Tks mach.82

Tom

----------

## ProPilot

mach.82's suggestion works for me.

Tom

----------

## Teardrop

hi

nope didn't work for me. i have now the same errors again as in the last post. any more ideas?

still thanks for your info and help.

TEardrop

----------

## Teardrop

Noone?

i am a little desperate...

Teardrop

----------

## jmbsvicetto

Hi.

I would suggest you addapt the following from Luc de Louw's Postfix-Cyrus-Web-cyradm-HOWTO guide. The creation of the TLS/SSL certificate can be found on the Configuring Cyrus IMAP section.

```
openssl req -new -nodes -out req.pem -keyout key.pem  

openssl rsa -in key.pem -out new.key.pem

openssl x509 -in req.pem -out ca-cert -req \

-signkey new.key.pem -days 999 

mkdir /var/imap

cp new.key.pem /var/imap/server.pem

rm new.key.pem

cat ca-cert >> /var/imap/server.pem
```

Does it work for you?

----------

## Teardrop

hi

sorry, my late response. just tried it and it worked. go another problem though but will post this in a new thread. thx a lot

Teardrop

----------

