Postfix SNI / Letsencrypt

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix SNI / Letsencrypt

ouafnico
Hi all,

I'm trying to make work the SNI feature from postfix >3.4.

I've declared a "smtpd_tls_chain_files" using letsencrypt certificates
(privkey and fullchain), and a "tls_server_sni_maps" using hash file,
according the documentation online.

The doc says
 "The chain files MUST start with the private key,
    # with the certificate chain next, starting with the leaf
    # (server) certificate, and then the issuer certificates."

I tried differents ways on the sni file, but every time I try with
openssl to test the configuration I got on postfix logs:

Dec  8 00:34:28 shiva2 postfix/smtpd[7290]: warning: key at index 1 in
SNI data for mail.hidden.fr does not match next certificate
Dec  8 00:34:28 shiva2 postfix/smtpd[7290]: warning: TLS library
problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing
certificate:../ssl/ssl_rsa.c:1107:
Dec  8 00:34:28 shiva2 postfix/smtpd[7290]: warning: error loading
private keys and certificates from: SNI data for mail.hidden.fr:
aborting TLS handshake


Does anyone make this work with Letsencrypt certificates ?


Thanks,


Reply | Threaded
Open this post in threaded view
|

Re: Postfix SNI / Letsencrypt

Viktor Dukhovni
On Sun, Dec 08, 2019 at 12:43:36AM +0100, [hidden email] wrote:

> I tried differents ways on the sni file, but every time I try with
> openssl to test the configuration I got on postfix logs:
>
> Dec  8 00:34:28 shiva2 postfix/smtpd[7290]: warning: key at index 1 in
> SNI data for mail.hidden.fr does not match next certificate
> Dec  8 00:34:28 shiva2 postfix/smtpd[7290]: warning: TLS library
> problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing
> certificate:../ssl/ssl_rsa.c:1107:
> Dec  8 00:34:28 shiva2 postfix/smtpd[7290]: warning: error loading
> private keys and certificates from: SNI data for mail.hidden.fr:
> aborting TLS handshake

http://www.postfix.org/DEBUG_README.html#mail

Also, without disclosing the private keys, make clear precisely what
data is in the various PEM files and in what order.  You can use the
command below, which prints only public key sha256 digests, and cert
chain subject and issuer names.

  $ for f in *.pem; do
      printf "\n=== %s\n" "$f"
      printf "ee key hash\n"
      openssl pkey -in "$f" -pubout -outform DER 2>/dev/null |
        openssl dgst -sha256 |
        sed 's/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/-NONE-/'
      printf "ee cert pubkey hash\n"
      openssl x509 -in "$f" -pubkey -noout 2>/dev/null |
        openssl pkey -pubin -outform DER 2>/dev/null |
        openssl dgst -sha256 |
        sed 's/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/-NONE-/'
      printf "ee chain names\n"
      openssl crl2pkcs7 -nocrl -certfile "$f" |
        openssl pkcs7 -print_certs -noout |
        egrep -v '^$'
    done

--
    Viktor.