Sendmail: Getting error on private key when trying to sent out via TLS/SSl


#1

Hello,

We are getting crazy here!

We keep getting this error on our server when trying to sent out mails via TLS/SSL

Sep 13 16:02:42 woolspire sm-mta[7475]: STARTTLS=client, error: SSL_CTX_use_PrivateKey_file(/etc/ssl/woolspire.crt) failed
Sep 13 16:02:42 woolspire sm-mta[7475]: STARTTLS=client, error: SSL_CTX_check_private_key failed(/etc/ssl/woolspire.crt): 0

What are we doing wrong here to be able to sent out via sendmail and apache2.4 ?


#2

I’d suspect that the settings in your sendmail.cf are incorrect. It could possibly also be due to the version of openssl you have installed on that server.

What is your config ?


#3

Hello serverco,

Many thanks for your help.

here is the edited sendmail.cf

# CA directory
O CACertPath=/etc/ssl
# CA file
O CACertFile=/etc/ssl/intermediate.ca
# Server Cert
O ServerCertFile=/etc/ssl/woolspire.crt
# Server private key
O ServerKeyFile=/etc/ssl/woolspire.key
# Client Cert
#O ClientCertFile=/etc/ssl/woolspire.crt
# Client private key
O ClientKeyFile=/etc/ssl/woolspire.crt
# File containing certificate revocation lists
#O CRLFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under OpenSSL)
#O RandFile

Version of OpenSSL: OpenSSL 1.0.1f 6 Jan 2014


#4

This strikes me as strange - are you 100% sure you want to be configuring mutually authenticated TLS with a ClientKeyFile? If so I’d also expect to see the ClientCertFile uncommented. For a mailserver intended to send mail to other Internet mailservers I wouldn’t expect you to need a client certificate or key to send outbound STARTTLS mail at all. Maybe you could try commenting out the ClientKeyFile line and trying again?

Edit: This is definitely the problem :slight_smile: I read more carefully and you’re using the .crt file as the ClientKeyFile. As expected sendmail balks at using a certificate as a private key for client authentication.


#5

If I comment out ClientKeyFile, I don’t get the error as before but:

Sep 13 16:27:55 woolspire sendmail[8803]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256

But verify is still FAIL ?

SPF record is set.


#6

What is the remote mailserver you are trying to send the test message to?

What operating system/distro/version is this server? You might also need to change this to /etc/ssl/certs.


#8

You were right

The combination of your to edits - did the job!:slight_smile:

change to /certs and remove clientprivatekey - got it verified.

There is only one issue - and I don’t know if you know how we can avoid this. But the mails still end up in spam folder?


#9

Woo hoo :slight_smile: Glad to hear it.

That problem is likely a bit too complicated & out of scope for this forum. I’m afraid I don’t have any answers that will help. Good luck!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.