Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Comodo SSL + Postfix
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Comodo SSL + Postfix

Hi folks,

Is there someone who knows perfectly how to configure Postfix to properly use SSL cert from this provider? I gave up after 3 hours of try.

The error was the following:

Feb 23 00:27:44 vps postfix/submission/smtpd[1054]: warning: cannot get RSA private key from file /etc/ssl/private/fh.key: disabling TLS support
Feb 23 00:27:44 vps postfix/submission/smtpd[1054]: warning: TLS library problem: 1054:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
Feb 23 00:27:46 vps postfix/submission/smtpd[1054]: connect from sender1.zohomail.com[72.5.230.103]
Feb 23 00:27:46 vps postfix/submission/smtpd[1054]: lost connection after STARTTLS from sender1.zohomail.com[72.5.230.103]

It's says key values mismatch. Then i've tried to compare like this:

[email protected]:/etc/postfix# openssl x509 -noout -modulus -in fh.crt | openssl md5 ; openssl rsa -noout -modulus -in fh.key | openssl md5

(stdin)= d42311fa4d77e88e3d43e39de8630ac0
(stdin)= d42311fa4d77e88e3d43e39de8630ac0

No idea!

Thanks!

Ramnode (referral link)

Comments

  • logfile said:

    warning: cannot get RSA private key from file /etc/ssl/private/fh.key

    you tested:

    /etc/postfix# openssl x509 -noout -modulus -in fh.crt | openssl md5 ; openssl rsa -noout -modulus -in fh.key | openssl md5

    wrong path?

    most recommended Provider: First-Root KVM Power-Edition /w SSD
    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • @Falzo

    The path is good but i've tested later in another directory without success, so don't be confused about that. :)

    Ramnode (referral link)

  • Thanks! I'm gonna try to solve with the info you've found on the second page. I've seen the first link yesterday night, tried to make a bundle with different orders but it didn't worked out. I'll get back to you later.

    Ramnode (referral link)

  • so where is your key-file located then, and what about the permissions of file and folder to it? - maybe postfix simply can't read the file because it got no permission to do so...

    most recommended Provider: First-Root KVM Power-Edition /w SSD
    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • I've moved it temporarily to /etc/postfix/ , also changed the path in main.cf and permissions are correctly set. Same like the self-generated one before. The self-generated is working but the Comodo cert is not. That's the difference.

    @Falzo said:
    so where is your key-file located then, and what about the permissions of file and folder to it? - maybe postfix simply can't read the file because it got no permission to do so...

    Ramnode (referral link)

  • @hwdsl2 @Falzo

    Ok i've got this in mail. Plus i have the private key saved.

        Root CA Certificate - AddTrustExternalCARoot.crt
        Intermediate CA Certificate - COMODORSAAddTrustCA.crt
        Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
        Your Free SSL Certificate - xxxxxxxxxxxxxx.crt
    

    Which one should be in which line in the main.cf?

    Ramnode (referral link)

  • msg7086msg7086 Member
    edited February 2015

    @pbalazs123 said:

        1. Root CA Certificate - AddTrustExternalCARoot.crt
        2. Intermediate CA Certificate - COMODORSAAddTrustCA.crt
        3. Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
        4. Your Free SSL Certificate - xxxxxxxxxxxxxx.crt
    

    Which one should be in which line in the main.cf?

    Typically we use 4+3+2, concatenated into one file.

  • Ok, finally i've managed to install cert. It works like a charm in Gmail and Thunderbird. But now i have another problem.

    There's a feature called Send As in Zohomail. If i add my server as a custom smtp (port 587/TLS) i've got the following error in my log files:

    Feb 24 12:58:40 smtp postfix/submission/smtpd[20403]: connect from sender1.zohomail.com[72.5.230.103]
    Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: SSL_accept error from sender1.zohomail.com[72.5.230.103]: 0
    Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: warning: TLS library problem: 20403:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1260:SSL alert number 46:
    Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: lost connection after STARTTLS from sender1.zohomail.com[72.5.230.103]
    Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: disconnect from sender1.zohomail.com[72.5.230.103]
    

    Error msg in Zohomail:

    Your certificate is invalid lol :D

    Using the same method in Gmail works, using in Thunderbird it works.

    What's the deal now?

    Ramnode (referral link)

Sign In or Register to comment.