Proper procedure for importing TLS cert & private key for Postfix use

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Proper procedure for importing TLS cert & private key for Postfix use

Security Admin (NetSec)

Recently imported files that contained the TLS certificate and the private key. 

 

Imported them to them proper directories and changed the default settings from the old cert & key files to the new files (“smtpd_tls_cert_file=/etc/ssl/certs/tlscert.pem” and “smtpd_tls_key_file=/etc/ssl/private/tlsprivatekey.key”).

 

When I ran a test e-mail to see if it worked, I got the following errors in “mail.log”

 

 

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: cannot get RSA private key from file "/etc/ssl/private/tlsprivate.key": disabling TLS support

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:110:

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:457:

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:649:

 

 

Any thought on what I am doing wrong and how I might fix?  I am thinking possibly file permissions but did not want to chmod until I knew for sure.

 

 

Thanks in advance!

 

 

Ed Ray

Reply | Threaded
Open this post in threaded view
|

RE: Proper procedure for importing TLS cert & private key for Postfix use

Fazzina, Angelo

This

"/etc/ssl/private/tlsprivate.key":

Does not equal

“/etc/ssl/private/tlsprivatekey.key”

 

 

-ANGELO FAZZINA

 

UITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Security Admin (NetSec)
Sent: Friday, December 8, 2017 1:03 PM
To: [hidden email]
Subject: Proper procedure for importing TLS cert & private key for Postfix use

 

Recently imported files that contained the TLS certificate and the private key. 

 

Imported them to them proper directories and changed the default settings from the old cert & key files to the new files (“smtpd_tls_cert_file=/etc/ssl/certs/tlscert.pem” and “smtpd_tls_key_file=/etc/ssl/private/tlsprivatekey.key”).

 

When I ran a test e-mail to see if it worked, I got the following errors in “mail.log”

 

 

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: cannot get RSA private key from file "/etc/ssl/private/tlsprivate.key": disabling TLS support

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:110:

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:457:

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:649:

 

 

Any thought on what I am doing wrong and how I might fix?  I am thinking possibly file permissions but did not want to chmod until I knew for sure.

 

 

Thanks in advance!

 

 

Ed Ray

Reply | Threaded
Open this post in threaded view
|

Re: Proper procedure for importing TLS cert & private key for Postfix use

Bill Cole-3
In reply to this post by Security Admin (NetSec)
On 8 Dec 2017, at 13:02 (-0500), Security Admin (NetSec) wrote:

> Recently imported files that contained the TLS certificate and the
> private key.
>
> Imported them to them proper directories and changed the default
> settings from the old cert & key files to the new files
> ("smtpd_tls_cert_file=/etc/ssl/certs/tlscert.pem" and
> "smtpd_tls_key_file=/etc/ssl/private/tlsprivatekey.key").
>
> When I ran a test e-mail to see if it worked, I got the following
> errors in "mail.log"
>
>
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: cannot get RSA
> private key from file "/etc/ssl/private/tlsprivate.key": disabling TLS
> support
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library
> problem: error:0906406D:PEM routines:PEM_def_callback:problems getting
> password:pem_lib.c:110:
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library
> problem: error:0906A068:PEM routines:PEM_do_header:bad password
> read:pem_lib.c:457:
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library
> problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
> lib:ssl_rsa.c:649:
>
>
> Any thought on what I am doing wrong and how I might fix?  I am
> thinking possibly file permissions but did not want to chmod until I
> knew for sure.

Assuming the mismatched filenames between your narrative and log lines
is a typo, I think the problem is identified in the 2nd & 3rd lines,
citing "password" problems. This implies that you have an encrypted
private key file, which I don't believe can be made to work with
Postfix. Convert the key to unencrypted form. To quote the man page for
rsa(1ssl) :

openssl rsa -in key.pem -out keyout.pem

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Proper procedure for importing TLS cert & private key for Postfix use

Viktor Dukhovni


> On Dec 8, 2017, at 11:37 PM, Bill Cole <[hidden email]> wrote:
>
> Assuming the mismatched filenames between your narrative and log lines is a typo, I think the problem is identified in the 2nd & 3rd lines, citing "password" problems. This implies that you have an encrypted private key file, which I don't believe can be made to work with Postfix. Convert the key to unencrypted form. To quote the man page for rsa(1ssl) :
>
> openssl rsa -in key.pem -out keyout.pem

Basically correct, but since many extant version of OpenSSL
(prior to OpenSSL 1.1.0) don't explicitly ensure that key
output files are not world-readable, I'd suggest instead:

   # (umask 077; openssl rsa -in key.pem -out keyout.pem)

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: Proper procedure for importing TLS cert & private key for Postfix use

Security Admin (NetSec)
In reply to this post by Fazzina, Angelo

Ignore typo, was trying to obfuscate file.

 

"/etc/ssl/private/tlsprivate.key" does = “/etc/ssl/private/tlsprivatekey.key”

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Fazzina, Angelo
Sent: Friday, December 08, 2017 10:29 AM
To: Security Admin (NetSec) <[hidden email]>; [hidden email]
Subject: RE: Proper procedure for importing TLS cert & private key for Postfix use

 

This

"/etc/ssl/private/tlsprivate.key":

Does not equal

“/etc/ssl/private/tlsprivatekey.key”

 

 

-ANGELO FAZZINA

 

UITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] [[hidden email]] On Behalf Of Security Admin (NetSec)
Sent: Friday, December 8, 2017 1:03 PM
To: [hidden email]
Subject: Proper procedure for importing TLS cert & private key for Postfix use

 

Recently imported files that contained the TLS certificate and the private key. 

 

Imported them to them proper directories and changed the default settings from the old cert & key files to the new files (“smtpd_tls_cert_file=/etc/ssl/certs/tlscert.pem” and “smtpd_tls_key_file=/etc/ssl/private/tlsprivatekey.key”).

 

When I ran a test e-mail to see if it worked, I got the following errors in “mail.log”

 

 

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: cannot get RSA private key from file "/etc/ssl/private/tlsprivate.key": disabling TLS support

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:110:

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:457:

Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:649:

 

 

Any thought on what I am doing wrong and how I might fix?  I am thinking possibly file permissions but did not want to chmod until I knew for sure.

 

 

Thanks in advance!

 

 

Ed Ray

Reply | Threaded
Open this post in threaded view
|

Re: Proper procedure for importing TLS cert & private key for Postfix use

tejas sarade
From error message it feels like that private key is password protected.
It is possible that while exporting the key some passphrase was set.
If that is the case you need to remove the password protection of
private key using openssl.


> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: cannot get RSA private
> key from file "/etc/ssl/private/tlsprivate.key": disabling TLS support
>
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem:
> error:0906406D:PEM routines:PEM_def_callback:problems getting
> password:pem_lib.c:110:
>
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem:
> error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:457:
>
> Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem:
> error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
> lib:ssl_rsa.c:649: